Unable to configure SQS queue notification in S3

Question

I created an SQS queue and added policy under permission tab allowing only my account users to configure the configure the notification

Policy Document

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:111111111111:sqsqueue/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "Sid111111111111",
      "Effect": "Allow",
      "Principal": {
        "AWS": "111111111111"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:111111111111:queue"
    }
  ]

Navigate to S3 and try to configure event notification for the above queue, it is throwing an error

Unable to validate the following destination configurations. Permissions on the destination queue do not allow S3 to publish notifications from this bucket. (arn:aws:sqs:us-east-1:111111111111:queue)*

am I doing something wrong? Can someone help me please

Answer 1

I was able to resolve this issue by adding "Service": "s3.amazonaws.com" in the Principal tag.

Here the policy document

    {
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:111111111111:sqsqueue/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "Sid111111111111",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:111111111111:queue"
    }
  ]

This is explained in https://forums.aws.amazon.com/thread.jspa?threadID=173251

Answer 2

This template file creates a bucket, SQS Queue and a policy to connect the two:

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  IncomingBucketName:
    Type: 'String'
    Description: 'Incoming Bucket Name'
    Default: 'some-bucket-name-here'
Resources:
  IncomingFileQueue:
    Type: 'AWS::SQS::Queue'
    Properties: {}
  SQSQueuePolicy:
    Type: 'AWS::SQS::QueuePolicy'
    Properties:
      PolicyDocument:
        Id: 'MyQueuePolicy'
        Version: '2012-10-17'
        Statement:
          - Sid: 'Statement-id'
            Effect: 'Allow'
            Principal:
              AWS: "*"
            Action: 'sqs:SendMessage'
            Resource:
              Fn::GetAtt: [ IncomingFileQueue, Arn ]
      Queues:
        - Ref: IncomingFileQueue
  IncomingFileBucket:
    Type: 'AWS::S3::Bucket'
    DependsOn:
      - SQSQueuePolicy
      - IncomingFileQueue
    Properties:
      AccessControl: BucketOwnerFullControl
      BucketName:
        Ref: IncomingBucketName
      NotificationConfiguration:
        QueueConfigurations:
          - Event:
              s3:ObjectCreated:Put
            Queue:
              Fn::GetAtt: [ IncomingFileQueue, Arn ]

I was getting the same issue but used this page to work out how to connect the three resources in order to successfully deploy the stack: https://aws.amazon.com/premiumsupport/knowledge-center/unable-validate-destination-s3/

I'm still working on the Policy Condition as the form recommended in the above link doesn't work for SQS. That being the case, the above template is not secure and shouldn't be used in production as it allows anyone to add messages to the queue.

I'll update this answer once I've figured that bit out...

Answer 3

You have to allow s3 service. Under Principal add "Service": "s3.amazonaws.com"

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:111111111111:sqsqueue/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "Sid111111111111",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:111111111111:queue"
    }
  ]

Please read these article to get learn about amazon sqs queues and to implement :

1. https://hydroid.medium.com/aws-sqs-simple-queue-service-14699b8cca7f
2. https://hydroid.medium.com/create-get-amazon-sqs-queues-8d9c5381f3e2