AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

S3 event notification to SQS

0

I am an admin IAM user responsible for managing AWS resources. Recently, I enabled CloudTrail, SNS, SQS, and created an S3 bucket, all of which are prerequisite steps for integration account activity logs with Elasticsearch.

The creation of CloudTrail through an S3 bucket proceeded smoothly. However, when attempting to create an S# event notification to SQS, I encountered an error message stating, "Unknown Error: An unexpected error occurred. API responseUnable to validate the following destination configurations." Additionally, Amazon Q Analysis suggests that "The user likely does not have the necessary permissions to configure notifications for this S3 bucket. While the bucket itself may allow listing and accessing objects, permission to modify bucket properties and notifications is controlled separately."

Can you please help in identifying the root cause of this issue? Thanks a lot.

トピック
サーバーレスアプリケーション統合ストレージ
タグ
Amazon Simple Queue ServiceAmazon S3 Access Grants
言語
English
joshus
質問済み 2ヶ月前200ビュー
2回答
1
承認された回答

Hello.

You need to check the resource-based policy on the SQS side.
Try setting the policy mentioned in the below document on SQS.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#grant-sns-sqs-permission-for-s3

{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SQS:SendMessage"
            ],
            "Resource": "arn:aws:sqs:Region:account-id:queue-name",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:*:*:awsexamplebucket1"
                },
                "StringEquals": {
                    "aws:SourceAccount": "bucket-owner-account-id"
                }
            }
        }
    ]
}
profile picture
エキスパート
Riku_Kobayashi
回答済み 2ヶ月前
0

Thanks so much! I'm glad this helped. My problem was with 'aws:SourceAccount': 'bucket-owner-account-id', which I had completely missed out.

joshus
回答済み 2ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ