Why isn’t my Amazon SNS topic receiving Amazon S3 event notifications?

3 minute read
0

I created an Amazon Simple Storage Service (Amazon S3) event notification to send messages through my Amazon Simple Notification Service (Amazon SNS) topic. My Amazon SNS topic isn't publishing messages when new events occur in my Amazon S3 bucket, though.

Resolution

Confirm that your Amazon S3 event type is configured correctly

When you configure an Amazon S3 event notification, you must specify which supported Amazon S3 event types cause Amazon S3 to send the notification. If an event type that you didn't specify occurs in your Amazon S3 bucket, then Amazon S3 doesn't send the notification.

Confirm that your object key name filters are in URL-encoded (percent-encoded) format

If your event notifications are configured to use object key name filtering, then notifications are published only for objects with specific prefixes or suffixes.

If you use any special characters in your prefixes or suffixes, then you must enter them in URL-encoded (percent-encoded) format. For more information see Object key naming guidelines and Working with object metadata.

Note: A wildcard character ("*") can't be used in filters as a prefix or suffix to represent any character.

Confirm that you've granted Amazon S3 the required permissions to publish messages to your topic

Your Amazon SNS topic's resource-based policy must allow the Amazon S3 bucket to publish messages to the topic.

Check your topic's AWS Identity and Access Management (IAM) policy to confirm that it has the required permissions, and add them if needed. For more information, see Granting permissions to publish messages to an SNS topic or an SQS queue.

(For topics with server-side encryption (SSE) activated) Confirm that your topic has the required AWS Key Management (AWS KMS) permissions

Your Amazon SNS topic must use an AWS KMS key that is customer managed. This KMS key must include a custom key policy that gives Amazon S3 sufficient key usage permissions.

To set up the required AWS KMS permissions, complete the following steps:

1.    Create a new KMS key that is customer managed and includes the required permissions for Amazon S3.

2.    Configure SSE for your Amazon SNS topic using the custom KMS key you just created.

3.    Configure AWS KMS permissions that allow Amazon S3 to publish messages to your encrypted topic.

Example IAM policy statement that allows Amazon S3 to publish messages to an encrypted Amazon SNS topic

{
"version": "2012-10-17",
"statement": [{
    "effect": "allow",
    "principal": {"service": "s3.amazonaws.com"},
    "action": ["kms:generatedatakey*", "kms:decrypt"],
    "resource": "*"
}]
}

If the Amazon S3 event notification still isn't received on the SNS topic, then check the Amazon SNS CloudWatch metric NumberOfMessagePublished. This metric shows whether Amazon S3 is publishing the events. If the metric doesn't populate, then there's an issue with the Amazon S3 to Amazon SNS configuration.

If the NumberOfMessagePublished metric is populated, then check the NumberOfNotificationsDelivered and NumberOfNotificationsFailed metrics. These metrics show whether the messages are successfully delivered to subscribing endpoints from your Amazon SNS topic.

Amazon SNS provides support to log the delivery status of notification messages sent to topics with Amazon SNS endpoints. This includes HTTP, Amazon Kinesis Data Firehose, AWS Lambda, Platform application endpoint, Amazon Simple Queue Service, and AWS SMS. Turn on Amazon SNS topic Delivery status logs to further troubleshoot the issue.


Related information

Allow Amazon S3 event notifications to publish to a topic

AWS OFFICIAL
AWS OFFICIALUpdated a year ago