By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 event notification to SQS

0

I am an admin IAM user responsible for managing AWS resources. Recently, I enabled CloudTrail, SNS, SQS, and created an S3 bucket, all of which are prerequisite steps for integration account activity logs with Elasticsearch.

The creation of CloudTrail through an S3 bucket proceeded smoothly. However, when attempting to create an S# event notification to SQS, I encountered an error message stating, "Unknown Error: An unexpected error occurred. API responseUnable to validate the following destination configurations." Additionally, Amazon Q Analysis suggests that "The user likely does not have the necessary permissions to configure notifications for this S3 bucket. While the bucket itself may allow listing and accessing objects, permission to modify bucket properties and notifications is controlled separately."

Can you please help in identifying the root cause of this issue? Thanks a lot.

Topics
ServerlessApplication IntegrationStorage
Tags
Amazon Simple Queue ServiceAmazon S3 Access Grants
Language
English
joshus
asked 2 months ago184 views
2 Answers
1
Accepted Answer

Hello.

You need to check the resource-based policy on the SQS side.
Try setting the policy mentioned in the below document on SQS.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#grant-sns-sqs-permission-for-s3

{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SQS:SendMessage"
            ],
            "Resource": "arn:aws:sqs:Region:account-id:queue-name",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:*:*:awsexamplebucket1"
                },
                "StringEquals": {
                    "aws:SourceAccount": "bucket-owner-account-id"
                }
            }
        }
    ]
}
profile picture
EXPERT
Riku_Kobayashi
answered 2 months ago
0

Thanks so much! I'm glad this helped. My problem was with 'aws:SourceAccount': 'bucket-owner-account-id', which I had completely missed out.

joshus
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content