Why isn’t my Amazon SNS topic receiving Amazon S3 event notifications?

Last updated: 2021-06-21

I created an Amazon Simple Storage Service (Amazon S3) event notification to send messages through my Amazon Simple Notification Service (Amazon SNS) topic. My Amazon SNS topic isn’t publishing messages when new events occur in my Amazon S3 bucket, though. How do I troubleshoot the issue?

Resolution

Confirm that your Amazon S3 event type is configured correctly

When you configure an Amazon S3 event notification, you must specify which supported Amazon S3 event types cause Amazon S3 to send the notification. If an event type that you didn't specify occurs in your Amazon S3 bucket, then Amazon S3 doesn't send the notification.

Confirm that your object key name filters are in URL-encoded (percent-encoded) format

If your event notifications are configured to use object key name filtering, notifications are published only for objects with specific prefixes or suffixes.

If you use any special characters in your prefixes or suffixes, you must enter them in URL-encoded (percent-encoded) format. For more information see Object key naming guidelines and Working with object metadata.

Note: A wildcard character ("*") can't be used in filters as a prefix or suffix to represent any character.

Confirm that you've granted Amazon S3 the required permissions to publish messages to your topic

Your Amazon SNS topic’s resource-based policy must allow the Amazon S3 bucket to publish messages to the topic.

Check your topic’s AWS Identity and Access Management (IAM) policy to confirm that it has the required permissions, and add them if needed. For more information, see Granting permissions to publish messages to an SNS topic or an SQS queue.

(For topics with server-side encryption (SSE) activated) Confirm that your topic has the required AWS Key Management (AWS KMS) permissions

Your Amazon SNS topic must use a AWS KMS key that is customer managed. This KMS key must include a custom key policy that gives Amazon S3 sufficient key usage permissions.

To set up the required AWS KMS permissions, do the following:

1.    Create a new KMS key that is customer managed and includes the required permissions for Amazon S3.

2.    Configure SSE for your Amazon SNS topic using the custom KMS key you just created.

3.    Configure AWS KMS permissions that allow Amazon S3 to publish messages to your encrypted topic.

Example IAM policy statement that allows Amazon S3 to publish messages to an encrypted Amazon SNS topic

{
"version": "2012-10-17",
"statement": [{
    "effect": "allow",
    "principal": {"service": "s3.amazonaws.com"},
    "action": ["kms:generatedatakey*", "kms:decrypt"],
    "resource": "*"
}]
}

Did this article help?


Do you need billing or technical support?