Why do I get the error "Unable to validate the following destination configurations" when I create an Amazon S3 Event Notification?

5 minute read
1

I want to troubleshoot this error when I create an Amazon Simple Storage Service (Amazon S3) Event Notification: "Unable to validate the following destination configurations when creating an Amazon S3 Event Notification".

Short description

To prevent this error, you must meet these conditions:

  • When you create an Amazon S3 Event Notification, the specified destination must have a resource-based policy that allows S3 to publish notifications to the destination.
  • The AWS Region for the destination must be the same Region as the S3 bucket.
  • If you encrypted the destination with an AWS Key Management Service (AWS KMS) key, then the key policy must allow access to S3.

If you update an event notification configuration, then Amazon S3 verifies that all the event destinations exist. S3 also checks that the event destinations have the resource-based policies that allow S3 to take the following actions based on the event destination type:

  • Publish events
  • Send messages
  • Invoke functions

S3 performs these checks on new event destinations and any existing event destinations that you don't delete during the update. When these checks fail, you might get the error "Unable to validate the following destination configurations".

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Resolution

Be sure that all the event destinations exist

You get this error when an event destination that's on the bucket doesn't exist.

If your existing event notification sends events to a destination that no longer exists, then delete these events before you update the event notification configuration. The notification might exist on the bucket, but the destination doesn't exist because you deleted it after you updated the event notification configuration.

It's a best practice to use the same PutBucketNotificationConfiguration API to delete all events with non-existent destinations. You can use the Amazon S3 console, AWS CLI, or AWS SDK to call the PutBucketNotificationConfiguration API.

Confirm that the event destinations have valid resource-based policies

To publish messages to the following AWS services, grant Amazon S3 the necessary permissions to call the relevant API:

  • Amazon Simple Notification Service (Amazon SNS) topic
  • Amazon Simple Queue Service (Amazon SQS) queue
  • AWS Lambda function

Example Amazon SNS topic destination policy

{
  "Version": "2012-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "Example SNS topic policy",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": [
        "SNS:Publish"
      ],
      "Resource": "SNS-topic-ARN",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:bucket-name"
        },
        "StringEquals": {
          "aws:SourceAccount": "bucket-owner-account-id"
        }
      }
    }
  ]
}

Example Amazon SQS queue destination policy

{
  "Version": "2012-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": [
        "SQS:SendMessage"
      ],
      "Resource": "arn:aws:sqs:Region:account-id:queue-name",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:awsexamplebucket1"
        },
        "StringEquals": {
          "aws:SourceAccount": "bucket-owner-account-id"
        }
      }
    }
  ]
}

Example Lambda function destination policy

{
  "Version": "2012-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "s3invoke",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:Region:account-id:function:function-name",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "bucket-owner-account-id"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:::awsexamplebucket1"
        }
      }
    }
  ]
}

If you add a new event to the bucket, then make sure that the new event has the valid resource-based policy.

For more information on Amazon SNS topic or Amazon SQS queue permissions, see Granting permissions to publish messages to an SNS topic or an SQS queue.

To update the Lambda function with valid policies, see Tutorial: Using an Amazon S3 trigger to invoke a Lambda function.

Note: If you use the S3 console to turn on Event Notifications, then S3 tries to update the policy before the policy is added to the event. If the event destination resource-based policy is valid and you get the same error, then check all existing event destinations for valid resource-based policies. If you modify any resource-based policies for the event destinations after you update the event notification configuration on the bucket, then you get this error. To prevent the error, make sure that all permissions are valid and delete events with destinations that aren't valid.

Make sure that the AWS KMS key policy is correct for AWS KMS encrypted topics and queues

If you activate AWS KMS encryption for an SQS or SNS destination, then update the customer managed key policy to allow S3 to use the key. For more information, see AWS KMS key policy.

AWS managed keys, such as aws/sns and aws/sqs aren't supported. If you use an AWS managed key on your event destination, then you must update the destination to use a customer managed key. Then, update the key policy.

Example AWS KMS key policy

{
  "Version": "2012-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "*"
    }
  ]
}

Related information

IAM policy for a destination SNS topic

IAM policy for a destination SQS queue

AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago
4 Comments

Please review and make correction to the typographical error under Example Amazon SNS topic destination policy: Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#sns-topic-policy

**Example Amazon SNS topic destination policy: **

{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "Example SNS topic policy",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SNS:Publish"
            ],
            "Resource": "SNS-topic-ARN",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:*:*:bucket-name"
                },
                "StringEquals": {
                    "aws:SourceAccount": "bucket-owner-account-id"
                }
            }
        }
    ]
} 

AWS
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

How do I apply this policy to all the S3 Buckets in my AWS account using the same SNS Topic? I appreciate your support.

replied 2 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 2 months ago