When subscribing an Amazon Simple Notification Service (Amazon SNS) topic or an AWS Lambda function to Amazon Simple Storage Service (Amazon S3) event notifications, I receive the error "Unable to validate the following destination configurations." When I tried setting a dependency on the SNS topic policy from the S3 bucket in my template, I received a circular dependency validation error.

Because of the way AWS CloudFormation handles dependency ordering, Amazon S3 event notifications are defined as an attribute of the S3 bucket, and are established when the S3 bucket resource is created.

Therefore, you must create resources in the following order:

  • First, create the SNS topic, because the S3 bucket references the SNS topic.
  • Next, create the S3 bucket, because the SNS topic policy references both the S3 bucket and the SNS topic.

Before subscribing an SNS topic to S3 event notifications, you must specify a topic policy (AWS::SNS::TopicPolicy) with the appropriate permissions, and that topic policy must exist before the subscription occurs.

Try one of the following strategies:

Specify a value for BucketName in the CloudFormation template

Use a static name for your S3 bucket by specifying a value for the BucketName parameter within the S3 bucket resource in the CloudFormation template. This removes the need to include { "Ref": "S3bucket" } in the SNS topic policy, and removes the intrinsic dependency between the SNS topic policy and Amazon S3. To promote template reuse, the S3 bucket name can be set as a parameter and then passed on during stack creation.

Specify a value for the BucketName parameter in your template, as shown in this example:  

{
  "Parameters": {
    "paramBucketName": {
      "Type": "String",
      "Description": "Bucket Name"
    }
  },
  "Resources": {
    "SNSTopic": {
        "Type": "AWS::SNS::Topic"
    },
    "SNSTopicPolicy": {
        "Type": "AWS::SNS::TopicPolicy",
        "Properties": {
            "PolicyDocument": {
                "Id": "MyTopicPolicy",
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "Statement-id",
                        "Effect": "Allow",
                        "Principal": { "AWS": "*" },
                        "Action": "sns:Publish",
                        "Resource": { "Ref": "SNSTopic" },
                        "Condition": {
                            "ArnLike": {
                                "aws:SourceArn": { "Fn::Join": [ "", [ "arn:aws:s3:::", {"Ref": "paramBucketName"} ]]} }
                        }
                    }
                ]
            },
            "Topics": [ { "Ref": "SNSTopic" } ]
        }
    },
    "S3Bucket": {
        "Type": "AWS::S3::Bucket",
        "DependsOn": ["SNSTopicPolicy"],
        "Properties": {
            "AccessControl": "BucketOwnerFullControl",
            "BucketName": {"Ref": "paramBucketName"},
            "NotificationConfiguration": {
                "TopicConfigurations": [
                    {
                        "Topic": { "Ref": "SNSTopic" },
                        "Event": "s3:ObjectCreated:Put"
                    }
                ]
            }
        }
    }
  }
}

Note: The S3Bucket has an explicit DependsOn set to SNSTopicPolicy. This confirms that the required permissions are enabled before the bucket creation is initiated.

Create a stack, and then perform a stack update

Separate the stack creation into two stages. First, create the stack, but do not specify the NotificationConfiguration attribute in the S3 bucket resource. Then, perform a stack update to add the S3 event notification. This avoids setting the S3 event notification before the SNS topic policy is created.

In the first stage, create all of the resources, including the SNS topic policy, as shown in this example:

{
    "Resources": {
        "SNSTopic": {
            "Type": "AWS::SNS::Topic"
        },
        "SNSTopicPolicy": {
            "Type": "AWS::SNS::TopicPolicy",
            "Properties": {
                "PolicyDocument": {
                    "Id": "MyTopicPolicy",
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Sid": "Statement-id",
                            "Effect": "Allow",
                            "Principal": { "AWS": "*" },
                            "Action": "sns:Publish",
                            "Resource": { "Ref": "SNSTopic" },
                            "Condition": {
                                "ArnLike": {
                                    "aws:SourceArn": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "S3Bucket" } ] ]
                                    }
                                }
                            }
                        }
                    ]
                },
                "Topics": [ { "Ref": "SNSTopic" } ]
            }
        },
        "S3Bucket": {
            "Type": "AWS::S3::Bucket",
            "Properties": {
                "AccessControl": "BucketOwnerFullControl"
            }
        }
    }
}

Next, update the stack to add the S3 event notification, as shown in this example: 

{
  "Resources": {
        "SNSTopic": {
        "Type": "AWS::SNS::Topic"
    },
    "SNSTopicPolicy": {
        "Type": "AWS::SNS::TopicPolicy",
        "Properties": {
            "PolicyDocument": {
                "Id": "MyTopicPolicy",
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "Statement-id",
                        "Effect": "Allow",
                        "Principal": { "AWS": "*" },
                        "Action": "sns:Publish",
                        "Resource": { "Ref": "SNSTopic" },
                        "Condition": {
                            "ArnLike": {
                                "aws:SourceArn": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "S3Bucket" } ] ]
                                }
                            }
                        }
                    }
                ]
            },
            "Topics": [ { "Ref": "SNSTopic" } ]
        }
    },
    "S3Bucket": {
        "Type": "AWS::S3::Bucket",
        "Properties": {
            "AccessControl": "BucketOwnerFullControl",
            "NotificationConfiguration": {
                "TopicConfigurations": [
                    {
                        "Topic": { "Ref": "SNSTopic" },
                        "Event": "s3:ObjectCreated:Put"
                    }
                ]
            }
        }
    }
  }
}

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-09-15

Updated: 2018-07-23