My AWS CloudFormation stack creation fails when I deploy a template with the following resources:

  1. An AWS Lambda function resource.
  2. An Amazon S3 bucket resource with a NotificationConfiguration property that references the Lambda function.
  3. A Lambda permission resource with FunctionName and SourceArn properties that match the Lambda function and the S3 bucket.
    Note: It's a best practice to add the SourceAccount property to the Lambda permission resource for S3 event sources because an S3 Amazon Resource Name (ARN) does not include an account ID. Although the SourceArn property is adequate for most other event sources, yconsider adding the SourceAccount property for S3 event sources to guard against a scenario where you delete the bucket only to find that someone else has re-created the bucket, granting the new owner of the bucket full permissions to invoke your Lambda function.

When the stack fails, an error similar to this occurs:

Unable to validate the following destination configurations

When creating the bucket, S3 must validate the notification configuration by checking whether the bucket has permission to push events to the Lambda function. The permission resource (which must exist for this check to pass) requires the bucket name. Therefore, the permission resource depends on the bucket, and the bucket depends on the permission resource.

Note: If you attempt to resolve this issue by implementing a DependsOn resource attribute similar to the following, you will receive an error:  

"MyS3BucketPermission": {
  "Properties": {
    "Action": "lambda:InvokeFunction",
    ...
    ...
    "SourceArn": {
      "Ref": "MyS3Bucket"
    }
  },
  "Type": "AWS::Lambda::Permission"
},
"Resources": {
  "MyS3Bucket": {
    "DependsOn" : "MyS3BucketPermission",

DependsOn resource attribute error:

Circular dependency between resources

In this example, the circular dependency is between the S3 bucket resource and the SourceArn property of the Lambda permission resource because neither exists and one cannot be created without the other.

When this problem occurs, you can avoid circular dependencies by using the Fn::Join intrinsic function along with stack parameters.

...
"SourceArn": {
  "Fn::Join": [
    "",
    ["arn:aws:s3:::", {
        "Fn::Join": [".", [{
              "Ref": "BucketPrefix"
            }, {
              "Ref": "AWS::StackName"
            }
          ]
        ]
      }
    ]
  ]
}
},
"Type": "AWS::Lambda::Permission"

This approach allows S3 to verify its notification configuration and create the bucket without any issues.

Another possible workaround is to:

  • Create the bucket without notification configuration and add it in the next stack update.
  • Create a less-constrained Lambda permission. For example, allow invocations for a specific AWS account by omitting the SourceArn entirely.
  • Create a custom resource to run at the end of the stack workflow. This resource would add the notification configuration to the bucket after all other resources are created.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-10-03