Avoiding Common Pitfalls with s3:TestEvent in AWS S3 Notifications

Avoiding Common Pitfalls with s3:TestEvent in AWS S3 Notifications

Takahiro Iwasa
Takahiro Iwasa
2 min read
S3 SQS

When configuring event notifications for S3 buckets, s3:TestEvent messages are automatically sent by S3. If this test message is not handled properly, it may cause unexpected issues.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-content-structure.html

When you configure an event notification on a bucket, Amazon S3 sends a test message with the s3:TestEvent.

Building

Create a CloudFormation stack template:

template.yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: Example of CloudWatch events not queueing to SSE SQS
Resources:
  Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      NotificationConfiguration:
        QueueConfigurations:
          - Event: 's3:ObjectCreated:Put'
            Queue: !GetAtt Queue.Arn
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true


  Queue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: s3-event-notification-test-queue
      ReceiveMessageWaitTimeSeconds: 20


  QueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      PolicyDocument:
        Version: '2008-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: s3.amazonaws.com
            Action:
              - SQS:SendMessage
              - SQS:ReceiveMessage
            Resource: !GetAtt Queue.Arn
            Condition:
              StringEquals:
                aws:SourceAccount: !Ref AWS::AccountId
      Queues:
        - !Ref Queue

Deploy the stack using the following command:

Terminal window
aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name s3-event-notification-test

Testing

To verify the setup, check the SQS messages using the following command:

Terminal window
aws sqs receive-message \
  --queue-url https://sqs.ap-northeast-1.amazonaws.com/{AccountId}/s3-event-notification-test-queue

You should observe the s3:TestEvent message in the output, even if no objects have been added to the bucket.

{
  "Messages": [
    {
      "MessageId": "...",
      "ReceiptHandle": "...",
      "MD5OfBody": "...",
      "Body": "{\"Service\":\"Amazon S3\",\"Event\":\"s3:TestEvent\",\"Time\":\"2020-12-29T18:53:47.874Z\",\"Bucket\":\"s3-event-notification-test-bucket-xxxxxxxx\",\"RequestId\":\"...\",\"HostId\":\"...\"}"
    }
  ]
}

Cleaning Up

Clean up all the AWS resources provisioned during this example with the following command:

Terminal window
aws cloudformation delete-stack --stack-name s3-event-notification-test
Takahiro Iwasa

Takahiro Iwasa

Software Developer
Involved in the requirements definition, design, and development of cloud-native applications using AWS. Japan AWS Top Engineers 2020-2023.