Unable to validate the following destination configurations in SNS occur when we try to subscribe to Amazon SNS topic or AWS Lambda function to Amazon S3 event notifications.
Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.
Today, let us see how we can fix this issue.
Unable to validate the following destination configurations in SNS
To avoid the error, our Support Techs recommend creating resources in the following order:
- Create the SNS topic, because the S3 bucket references the SNS topic.
- Create the S3 bucket, because the SNS topic policy references both the S3 bucket and the SNS topic.
In addition, we must specify a topic policy with the appropriate permissions.
That topic policy must exist before you create the subscription.
In order to avoid this error our Support Techs suggests the following strategies:
-
Specify a value for BucketName
To begin with, we need to use a static name for the S3 bucket.
Also, we must specify a value for the BucketName property in the S3Bucket resource of the AWS CloudFormation template.
For example, here we can see that the AWS CloudFormation template specifies a hardcoded value (-Bucket-Name-) for the BucketName property.
{
"Resources": {
"SNSTopic": {
"Type": "AWS::SNS::Topic"
},
"SNSTopicPolicy": {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"PolicyDocument": {
"Id": "MyTopicPolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement-id",
"Effect": "Allow",
"Principal": { "Service": "s3.amazonaws.com" },
"Action": "sns:Publish",
"Resource": { "Ref": "SNSTopic" },
"Condition": {
"ArnLike": {
"aws:SourceArn": { "Fn::Join": [ "", [ "arn:aws:s3:::", "-Bucket-Name-" ]]} }
}
}
]
},
"Topics": [ { "Ref": "SNSTopic" } ]
}
},
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"DependsOn": ["SNSTopicPolicy"],
"Properties": {
"AccessControl": "BucketOwnerFullControl",
"BucketName": "-Bucket-Name-",
"NotificationConfiguration": {
"TopicConfigurations": [
{
"Topic": { "Ref": "SNSTopic" },
"Event": "s3:ObjectCreated:Put"
}
]
}
}
}
}
}
However, make sure to replace the -Bucket-Name- with an appropriate bucket name.
After that, to use this template for S3 buckets with different names, we define a parameter for the bucket name.
For example, here we must pass the bucket name as the paramBucketName parameter during stack creation.
{
"Parameters": {
"paramBucketName": {
"Type": "String",
"Description": "Bucket Name"
}
},
"Resources": {
"SNSTopic": {
"Type": "AWS::SNS::Topic"
},
"SNSTopicPolicy": {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"PolicyDocument": {
"Id": "MyTopicPolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement-id",
"Effect": "Allow",
"Principal": { "Service": "s3.amazonaws.com" },
"Action": "sns:Publish",
"Resource": { "Ref": "SNSTopic" },
"Condition": {
"ArnLike": {
"aws:SourceArn": { "Fn::Join": [ "", [ "arn:aws:s3:::", {"Ref": "paramBucketName"} ]]} }
}
}
]
},
"Topics": [ { "Ref": "SNSTopic" } ]
}
},
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"DependsOn": ["SNSTopicPolicy"],
"Properties": {
"AccessControl": "BucketOwnerFullControl",
"BucketName": {"Ref": "paramBucketName"},
"NotificationConfiguration": {
"TopicConfigurations": [
{
"Topic": { "Ref": "SNSTopic" },
"Event": "s3:ObjectCreated:Put"
}
]
}
}
}
}
}
-
Create a stack, perform a stack update
Our Support Techs recommend dividing the stack creation into two stages.
First, we create the stack, but don’t specify the NotificationConfiguration property in the S3Bucket resource.
For instance, like the following:
{
"Resources": {
"SNSTopic": {
"Type": "AWS::SNS::Topic"
},
"SNSTopicPolicy": {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"PolicyDocument": {
"Id": "MyTopicPolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement-id",
"Effect": "Allow",
"Principal": { "Service": "s3.amazonaws.com" },
"Action": "sns:Publish",
"Resource": { "Ref": "SNSTopic" },
"Condition": {
"ArnLike": {
"aws:SourceArn": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "S3Bucket" } ] ]
}
}
}
}
]
},
"Topics": [ { "Ref": "SNSTopic" } ]
}
},
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "BucketOwnerFullControl"
}
}
}
}
Then, we perform a stack update to add the S3 event notification.
For example:
{
"Resources": {
"SNSTopic": {
"Type": "AWS::SNS::Topic"
},
"SNSTopicPolicy": {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"PolicyDocument": {
"Id": "MyTopicPolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement-id",
"Effect": "Allow",
"Principal": { "Service": "s3.amazonaws.com" },
"Action": "sns:Publish",
"Resource": { "Ref": "SNSTopic" },
"Condition": {
"ArnLike": {
"aws:SourceArn": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "S3Bucket" } ] ]
}
}
}
}
]
},
"Topics": [ { "Ref": "SNSTopic" } ]
}
},
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "BucketOwnerFullControl",
"NotificationConfiguration": {
"TopicConfigurations": [
{
"Topic": { "Ref": "SNSTopic" },
"Event": "s3:ObjectCreated:Put"
}
]
}
}
}
}
}
It is possible for us to convert the AWS CloudFormation templates between JSON and YAML formats using AWS CloudFormation Template Flip.
[Need further assistance? We are here for you]
Conclusion
In short, we saw how our Support Techs fix this error for our customers.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
0 Comments