When subscribing an AWS SNS topic or AWS Lambda function to Amazon S3 event notifications, I receive the error message "Unable to validate the following destination configurations." I have tried setting a dependency on the SNS topic policy from the S3 bucket in my template, but that resulted in a circular dependency validation error.

Before subscribing an SNS topic to S3 event notifications, you must specify a topic policy AWS::SNS::TopicPolicy with the appropriate permissions and it must exist before the subscription occurs, otherwise it might fail.

With AWS CloudFormation templates, the S3 event notifications are defined as an attribute of the S3 bucket and are established when the S3 bucket resource is created. Because of the way CloudFormation handles dependency ordering, there are some known limitations.

Consider the following sample code:

"SNSTopic" : {

    "Type" : "AWS::SNS::Topic"

},

"SNSTopicPolicy" : {

    "Type" : "AWS::SNS::TopicPolicy",

    "Properties" : {

        "PolicyDocument" : {

            "Id" : "MyTopicPolicy",

            "Version" : "2012-10-17",

            "Statement" : [ {

                "Sid" : "Statement-id",

                "Effect" : "Allow",

                "Principal" : {

                    "AWS" : "*"

                },

                "Action" : "sns:Publish",

                "Resource" : { "Ref": "SNSTopic" },

                "Condition" : {

                    "ArnLike": {

                        "aws:SourceArn": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref" : "S3Bucket" } ] ] }

                    }

                }

            } ]

        },

        "Topics" : [ { "Ref" : "SNSTopic" } ]

    }

},

"S3Bucket": {

    "Type": "AWS::S3::Bucket",

    "Properties": {

        "AccessControl": "PublicReadWrite",

        "NotificationConfiguration": {

            "TopicConfigurations": [

                {

                    "Topic": { "Ref" : "SNSTopic" },

                    "Event": "s3:Create"

                }

            ]

        }

    }

}

Note that in the dependency ordering:

  • The S3 bucket references the SNS topic; therefore, the SNS topic must be created before the S3 bucket.
  • The SNS topic policy references both the S3 bucket and the SNS topic; therefore, it is created last.

Because the S3 bucket event notification is created before the SNS topic policy is in place, it fails.

Statically name your S3 bucket by specifying a value for the BucketName parameter within the S3 bucket resource in the CloudFormation template. Statically naming the bucket eliminates the need to include { "Ref": "S3bucket" } in the SNS topic policy and removes the intrinsic dependency between the SNS topic policy and S3. To promote template reuse, the S3 bucket name can be parametrized and passed on during stack creation.

Another option is to separate the stack creation into two stages: perform a stack creation first, and then perform a stack update. In the first stage, you can create all of the resources including the SNS topic policy, but do not specify the NotificationConfiguration attribute in the S3 bucket resource. In the second stage, you can update the stack to add the S3 event notification. This avoids the S3 event notification being set before the SNS topic policy has been created. For more information, see Working with Stacks in the AWS CloudFormation User Guide.

CloudFormation, S3, Simple Storage Service, event, notification, circular dependency, SNS, Simple Notification Service, AWS Lambda


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-09-15