I am writing a CloudFormation that creates an S3 bucket and an SQS queue. In the same CFN, I am trying to allow the S3 bucket to send messages to the SQS queue. I keep getting this error:
Unable to validate the following destination configurations
I spent about 12 hours in trial and error yesterday. I think I have now read every article out there about this topic. Most seem to be on Lambdas or SNS Topics, but the process should be the same. I have tried adding a DependsOn in the S3 bucket so that the SQS policy gets created before the bucket, but that didn't work. I then did the other solution suggested which was to create the bucket and sqs, then create the policy for the sqs bucket that allows the s3 to publish to it, and finally create the notification. I was successful up to creating the notification.
Here is my sqs creation:
SQSBiaData:
Type: AWS::SQS::Queue
Properties:
QueueName: !Ref Queue
Tags:
- Key: 'Environment'
Value: !Ref Environment
Here is my sqs policy:
SQSBiaPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- !Ref SQSBiaData
PolicyDocument:
Statement:
- Sid: SendMessage
Effect: Allow
Principal:
AWS: !Ref AccountNumber
Action: SQS:SendMessage
Resource:
- 'arn:aws:sqs:us-east-1:123456:bia-data'
Condition:
ArnLike:
aws:SourceArn:
Fn::Join:
- ''
- - 'arn:aws:s3:*:*:'
- 'bia-data'
Here is my bucket creation:
S3BucketBiaData:
Type: AWS::S3::Bucket
DependsOn:
- SQSBiaPolicy
DeletionPolicy: Retain
Properties:
AccessControl: Private
BucketName: !Ref BucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: 'Environment'
Value: !Ref Environment
NotificationConfiguration:
QueueConfigurations:
- Event: 's3:ObjectCreated:*'
Queue: 'arn:aws:sqs:us-east-1:123456:bia-data'
Filter:
S3Key:
Rules:
- Name: 'prefix'
Value: 'manifest/'
Finally, here is my bucket policy:
S3BucketBiaPolicies:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref BucketName
PolicyDocument:
Statement:
- Sid: DenyInsecureConnections
Effect: Deny
Principal: '*'
Action: s3:*
Resource:
- !Sub 'arn:aws:s3:::${S3BucketBiaData}/*'
Condition:
Bool:
aws:SecureTransport: 'false'
- Sid: DenyPublicReadGrant
Effect: Deny
Principal:
AWS: "*"
Action:
- s3:PutObject
- s3:PutObjectAcl
Resource:
- !Sub 'arn:aws:s3:::${S3BucketBiaData}/*'
Condition:
StringLike:
s3:x-amz-grant-read:
- "*http://acs.amazonaws.com/groups/global/AllUsers*"
- "*http://acs.amazonaws.com/groups/global/AuthenticatedUsers*"
- Sid: OnlyAllowVPCAccess
Effect: Deny
Principal: '*'
Action: s3:*
Resource:
- !Sub 'arn:aws:s3:::${S3BucketBiaData}/*'
Condition:
ForAnyValue:StringNotEquals:
'aws: sourceVpce': !Ref VPCs
I am expecting the CFN to happen in this order:
- SQS
- SQS Policy
- S3 Bucket
- S3 Bucket Policy
Can anyone tell me what I am doing wrong? Keep in mind that the CFN works UNTIL I add the NotificationConfiguration section.
Thanks!
