Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

S3 event notification to SQS

0

I am an admin IAM user responsible for managing AWS resources. Recently, I enabled CloudTrail, SNS, SQS, and created an S3 bucket, all of which are prerequisite steps for integration account activity logs with Elasticsearch.

The creation of CloudTrail through an S3 bucket proceeded smoothly. However, when attempting to create an S# event notification to SQS, I encountered an error message stating, "Unknown Error: An unexpected error occurred. API responseUnable to validate the following destination configurations." Additionally, Amazon Q Analysis suggests that "The user likely does not have the necessary permissions to configure notifications for this S3 bucket. While the bucket itself may allow listing and accessing objects, permission to modify bucket properties and notifications is controlled separately."

Can you please help in identifying the root cause of this issue? Thanks a lot.

Argomenti
ServerlessIntegrazione delle applicazioniArchiviazione
Tag
Servizio Amazon Simple QueueConcessioni di accesso Amazon S3
Lingua
English
joshus
posta 2 mesi fa200 visualizzazioni
2 Risposte
1
Risposta accettata

Hello.

You need to check the resource-based policy on the SQS side.
Try setting the policy mentioned in the below document on SQS.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#grant-sns-sqs-permission-for-s3

{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SQS:SendMessage"
            ],
            "Resource": "arn:aws:sqs:Region:account-id:queue-name",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:*:*:awsexamplebucket1"
                },
                "StringEquals": {
                    "aws:SourceAccount": "bucket-owner-account-id"
                }
            }
        }
    ]
}
profile picture
ESPERTO
Riku_Kobayashi
con risposta 2 mesi fa
0

Thanks so much! I'm glad this helped. My problem was with 'aws:SourceAccount': 'bucket-owner-account-id', which I had completely missed out.

joshus
con risposta 2 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente