Why aren't Amazon S3 event notifications delivered to an Amazon SQS queue that uses server-side encryption?

5 分的閱讀內容
0

Amazon Simple Storage Service (Amazon S3) event notifications aren't delivered to my server-side encryption (SSE) Amazon Simple Queue Service (Amazon SQS) queue.

Resolution

Complete these steps to configure and send S3 event notifications to an Amazon SQS queue that uses server-side encryption (SSE).

Create a customer managed AWS KMS key and configure the key policy

You must encrypt Amazon SQS queues with a customer managed AWS Key Management Service (AWS KMS) key. Then, grant the Amazon S3 service principal permissions to work with encrypted queues.

Note: You can't modify the default AWS managed KMS key. Instead, you must use a customer managed key for this process. You must also add permissions to the AWS KMS key to allow access to a specified service principal.

To grant the Amazon S3 service principal permissions, add this statement to the customer managed key policy:

{  "Version": "2012-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::"111122223333":root"
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}

Note: Replace "arn:aws:iam::"111122223333":root" with your ARN.

Create an SQS queue and grant Amazon S3 permissions

  1. Create an Amazon SQS queue that's configured to use SSE. For more information, see Configuring server-side encryption (SSE) for a queue (console).
  2. To allow Amazon S3 to send messages to the queue, add this permissions statement to the SQS queue:
{  "Version": "2012-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:111122223333:sqs-s3-kms-same-account",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "123456789"
        },
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:hellobucket"
        }
      }
    }
  ]
}

Note: Replace the Resource value with your SQS queue ARN, aws:SourceAccount with your AWS source account ID, and aws:SourceArn with your Amazon S3 bucket ARN.

In the preceding example, the S3 bucket hellobucket for customer account 123456789 can send ObjectCreated event notifications to the specified SQS queue. For more information on the required permissions to work with encrypted SQS queues, see Key management.

Create an S3 event

To add an Amazon S3 event for your bucket, complete these steps:

  1. Open the S3 console, and then choose the hyperlinked Name for your S3 bucket.
  2. From the Properties tab, choose Create event notification.
  3. On the Create event notification page, enter this information:
    For Event name, enter a name.
    For Event types, select the event types that you want to receive notifications for.
    For Destination, choose SQS queue.
    For SQS queue, choose your queue.
  4. Choose Save changes.

Confirm that your Amazon S3 event type is configured correctly

When you configure an Amazon S3 event notification, you must specify the supported event types to cause Amazon S3 to send the notification. If an event type that you didn't specify occurs in your Amazon S3 bucket, then Amazon S3 doesn't send the notification.

Confirm that your object key name filters are in URL-encoded format

When event notifications are configured to use object key name filtering, then notifications are published only for objects with specific prefixes or suffixes.

If you use special characters in your prefixes or suffixes, then you must enter them in URL-encoded format. For more information, see Configuring event notifications using object key name filtering.

Note: You can't use a wildcard character ("*") as a prefix or suffix to represent any character in filters. 

Check that all the event destinations exist

The error "Unable to validate the following destination configurations" occurs when an Amazon S3 event notification bucket destination doesn't exist.

If you configured an event notification to send events to a destination that no longer exists, then you must remove these events. Make sure that you remove the events before you update the event notification configuration.

Note: It's a best practice to use the PutBucketNotificationConfiguration API to delete all events with non-existent destinations.

Check the S3 bucket and SQS queue Regions

You can't send notifications from an S3 bucket in one AWS Region to an Amazon SQS queue in another Region. Instead, set an Amazon Simple Notification Service (Amazon SNS) topic as the S3 bucket destination with an Amazon SQS queue in a different Region. Amazon SNS supports cross-Region notification delivery to Amazon SQS queues and AWS Lambda functions.

For more information, see Sending Amazon SNS messages to an Amazon SQS queue or Lambda function in a different Region.

Confirm that messages were sent to the Amazon SQS queue

Use the Amazon CloudWatch NumberOfMessagesSent metric to check that the messages were sent to the Amazon SQS queue.

For more information, see Why is my Amazon SQS queue not receiving messages?

Troubleshoot with AWS Support

If the preceding troubleshooting steps don't resolve your issue, then contact AWS Support. Include the RequestId and timestamp with timezone of the failed API calls in your correspondence.

Related information

How can I get my Amazon SQS subscription to successfully receive a notification from my Amazon SNS topic?

Amazon S3 Event Notifications

Walkthrough: Configuring a bucket for notifications (SNS topic or SQS queue)

AWS 官方
AWS 官方已更新 5 個月前