Granting permissions to publish event notification messages to a destination
You must grant the Amazon S3 principal the necessary permissions to call the relevant API to publish messages to an SNS topic, an SQS queue, or a Lambda function. This is so that Amazon S3 can publish event notification messages to a destination.
To troubleshoot publishing event notification messages to a destination, see
Troubleshoot to publish Amazon S3 event notifications to an Amazon Simple Notification Service topic
Topics
Granting permissions to invoke an Amazon Lambda function
Amazon S3 publishes event messages to Amazon Lambda by invoking a Lambda function and providing the event message as an argument.
When you use the Amazon S3 console to configure event notifications on an Amazon S3 bucket for a Lambda function, the console sets up the necessary permissions on the Lambda function. This is so that Amazon S3 has permissions to invoke the function from the bucket. For more information, see Enabling and configuring event notifications using the Amazon S3 console.
You can also grant Amazon S3 permissions from Amazon Lambda to invoke your Lambda function. For more information, see Tutorial: Using Amazon Lambda with Amazon S3 in the Amazon Lambda Developer Guide.
Granting permissions to publish messages to an SNS topic or an SQS queue
To grant Amazon S3 permissions to publish messages to the SNS topic or SQS queue, attach an Amazon Identity and Access Management (IAM) policy to the destination SNS topic or SQS queue.
For an example of how to attach a policy to an SNS topic or an SQS queue, see Walkthrough: Configuring a bucket for notifications (SNS topic or SQS queue). For more information about permissions, see the following topics:
-
Example cases for Amazon SNS access control in the Amazon Simple Notification Service Developer Guide
-
Identity and access management in Amazon SQS in the Amazon Simple Queue Service Developer Guide
IAM policy for a destination SNS topic
The following is an example of an Amazon Identity and Access Management (IAM) policy that you attach to the destination SNS topic. For instructions on how to use this policy to set up a destination Amazon SNS topic for event notifications, see Walkthrough: Configuring a bucket for notifications (SNS topic or SQS queue).
{ "Version": "2012-10-17", "Id": "example-ID", "Statement": [ { "Sid": "Example SNS topic policy", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "SNS:Publish" ], "Resource": "
SNS-topic-ARN
", "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:s3:::" }, "StringEquals": { "aws:SourceAccount": "
amzn-s3-demo-bucket
bucket-owner-account-id
" } } } ] }
IAM policy for a destination SQS queue
The following is an example of an IAM policy that you attach to the destination SQS queue. For instructions on how to use this policy to set up a destination Amazon SQS queue for event notifications, see Walkthrough: Configuring a bucket for notifications (SNS topic or SQS queue).
To use this policy, you must update the Amazon SQS queue ARN, bucket name, and bucket owner's Amazon Web Services account ID.
{ "Version": "2012-10-17", "Id": "example-ID", "Statement": [ { "Sid": "example-statement-ID", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "SQS:SendMessage" ], "Resource": "arn:aws:sqs:
Region
:account-id
:queue-name
", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:awsexamplebucket1
" }, "StringEquals": { "aws:SourceAccount": "bucket-owner-account-id
" } } } ] }
For both the Amazon SNS and Amazon SQS IAM policies, you can specify the
StringLike
condition in the policy instead of the
ArnLike
condition.
When ArnLike
is used, the partition, service, account-id,
resource-type, and partial resource-id portions of the ARN must have exact
matching to the ARN in the request context. Only the region and resource
path allow partial matching.
When StringLike
is used instead of ArnLike
,
matching ignores the ARN structure and allows partial matching, regardless
of the portion that was wildcarded. For more information, see IAM JSON policy elements in the
IAM User Guide.
"Condition": { "StringLike": { "aws:SourceArn": "arn:aws-cn:s3:*:*:
" } }
amzn-s3-demo-bucket
Amazon KMS key policy
If the SQS queue or SNS topics are encrypted with an Amazon Key Management Service (Amazon KMS) customer managed key, you must grant the Amazon S3 service principal permission to work with the encrypted topics or queue. To grant the Amazon S3 service principal permission, add the following statement to the key policy for the customer managed key.
{ "Version": "2012-10-17", "Id": "example-ID", "Statement": [ { "Sid": "example-statement-ID", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*" } ] }
For more information about Amazon KMS key policies, see Using key policies in Amazon KMS in the Amazon Key Management Service Developer Guide.
For more information about using server-side encryption with Amazon KMS for Amazon SQS and Amazon SNS, see the following:
-
Key management in the Amazon Simple Notification Service Developer Guide.
-
Key management in the Amazon Simple Queue Service Developer Guide.
-
Encrypting messages published to Amazon SNS with Amazon KMS
in the Amazon Compute Blog.