Why do I get the error "Unable to validate the following destination configurations" when I use Amazon S3 Event Notifications?

Short description

To prevent validation issues with your destination configurations, take the following actions:

• The specified destination must have a resource-based policy that allows Amazon S3 to publish notifications to the destination.
• The AWS Region for the destination must be the same Region as the S3 bucket.
• If you encrypted the destination with an AWS Key Management Service (AWS KMS) key, then the key policy must allow access to S3.

If you update an event notification configuration, then Amazon S3 verifies that all the event destinations exist. S3 also checks that the event destinations have the resource-based policies that allow S3 to take the following actions based on the event destination type:

• Publish events
• Send messages
• Invoke functions

S3 performs the checks on new event destinations and any existing event destinations that you don't delete during the update. When the checks fail, you might get the error "Unable to validate the following destination configurations".

Resolution

Run the AWSSupport-TroubleshootS3EventNotifications automation runbook

As a best practice, use AWSSupport-TroubleshootS3EventNotifications to troubleshoot common issues that occur when you add an event notification configuration. 

Note:

• The runbook can only evaluate event notification configurations when the bucket owner is the same as the owner of the AWS account where you run the automation.
• The runbook can't evaluate policies on destination resources that are hosted in another account.

To run the automation, complete the following steps:

1. Open the AWS Systems Manager console, and then open AWSSupport-TroubleshootS3EventNotifications.
2. Choose Execute automation.
3. Enter your input parameters.
4. Choose Execute.
5. Review the results in the Outputs section. 

The final report contains the resources that are configured with the S3 bucket as a destination event notification. If you continue to experience Amazon S3 Event Notification issue, then use the following resolution to manually troubleshoot the issues.

Delete events for destinations that no longer exist

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

If your existing event notification sends events to a destination that no longer exists, then delete the events before you update the event notification configuration. The notification might exist on the bucket, but the destination doesn't exist because you deleted it after you updated the event notification configuration.

You can use the Amazon S3 console, AWS CLI, or the PutBucketNotificationConfiguration API to delete all events for destinations that no longer exist. It's a best practice to use the same PutBucketNotificationConfiguration API for all events. 

Confirm that the event destinations have valid resource-based policies

To publish messages to the following AWS services, grant Amazon S3 the necessary permissions to call the relevant API:

• Amazon Simple Notification Service (Amazon SNS) topic
• Amazon Simple Queue Service (Amazon SQS) queue
• AWS Lambda function

Example Amazon SNS topic destination policy:

{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "Example SNS topic policy",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SNS:Publish"
            ],
            "Resource": "SNS-topic-ARN",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:*:*:bucket-name"
                },
                "StringEquals": {
                    "aws:SourceAccount": "bucket-owner-account-id"
                }
            }
        }
    ]
}

Example Amazon SQS queue destination policy:

{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SQS:SendMessage"
            ],
            "Resource": "arn:aws:sqs:Region:account-id:queue-name",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:*:*:awsexamplebucket1"
                },
                "StringEquals": {
                    "aws:SourceAccount": "bucket-owner-account-id"
                }
            }
        }
    ]
}

Example Lambda function destination policy:

{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "s3invoke",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:Region:account-id:function:function-name",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceAccount": "bucket-owner-account-id"
                },
                "ArnLike": {
                    "AWS:SourceArn": "arn:aws:s3:::awsexamplebucket1"
                }
            }
        }
    ]
}

If you add a new event to the bucket, then make sure that the new event has the valid resource-based policy.

For more information about Amazon SNS topic or Amazon SQS queue permissions, see Granting permissions to publish messages to an SNS topic or an SQS queue.

To update the Lambda function with valid policies, see Tutorial: Using an Amazon S3 trigger to invoke a Lambda function.

If you use the S3 console to turn on Event Notifications, then S3 tries to update the policy before you add the policy to the event. If the event destination resource-based policy is valid and you get the same error, then check all existing event destinations for valid resource-based policies. If you modify a resource-based policy for the event destinations after you update the event notification configuration on the bucket, then validation fails. To prevent the issue, make sure that all permissions are valid and delete events with destinations that aren't valid.

Make sure that the AWS KMS key policy is correct for AWS KMS encrypted topics and queues

If you activated AWS KMS encryption for an SQS or SNS destination, then update the customer managed key policy to allow S3 to use the key. 

AWS managed keys, such as aws/sns and aws/sqs aren't supported. If you use an AWS managed key on your event destination, then you must update the destination to use a customer managed key. Then, update the key policy.

Example AWS KMS key policy:

{  
    "Version": "2012-10-17",  
    "Id": "example-ID",  
    "Statement": [  
        {  
            "Sid": "example-statement-ID",  
            "Effect": "Allow",  
            "Principal": {  
                "Service": "s3.amazonaws.com"  
            },  
            "Action": [  
                "kms:GenerateDataKey",  
                "kms:Decrypt"  
            ],  
            "Resource": "*"  
        }  
    ]  
}

Related information

AWS Identity and Access Management (IAM) policy for a destination SNS topic

IAM policy for a destination SQS queue