Be careful of s3:TestEvent When Configuring S3 Notification

Be careful of s3:TestEvent When Configuring S3 Notification

Takahiro Iwasa
Takahiro Iwasa
2 min read
S3 SQS

When configuring event notifications for S3 buckets, s3:TestEvent message will be automatically sent by S3. Users need to handle it properly.

Event message structure - Amazon Simple Storage Service
docs.aws.amazon.com docs.aws.amazon.com

Event message structure - Amazon Simple Storage Service

How an event notification message for Amazon S3 is structured.

When you configure an event notification on a bucket, Amazon S3 sends the following test message.

Creating AWS Resources

Create a CloudFormation template with the following content.

AWSTemplateFormatVersion: "2010-09-09"
Description: Example of CloudWatch events not queueing to SSE SQS
Resources:
  Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      NotificationConfiguration:
        QueueConfigurations:
          - Event: 's3:ObjectCreated:Put'
            Queue: !GetAtt Queue.Arn
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

  Queue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: s3-event-notification-test-queue
      ReceiveMessageWaitTimeSeconds: 20

  QueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      PolicyDocument:
        Version: '2008-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: s3.amazonaws.com
            Action:
              - SQS:SendMessage
              - SQS:ReceiveMessage
            Resource: !GetAtt Queue.Arn
            Condition:
              StringEquals:
                aws:SourceAccount: !Ref AWS::AccountId
      Queues:
        - !Ref Queue

Deploy the CloudFormation stack with the following command.

aws cloudformation deploy --template-file template.yaml --stack-name s3-event-notification-test

Testing

Check the SQS messages with the following command, and you should see s3:TestEvent on line 7 even if no objects have been put in the S3 bucket.

aws sqs receive-message --queue-url https://sqs.ap-northeast-1.amazonaws.com/{AccountId}/s3-event-notification-test-queue

{
  "Messages": [
    {
      "MessageId": "...",
      "ReceiptHandle": "...",
      "MD5OfBody": "...",
      "Body": "{\"Service\":\"Amazon S3\",\"Event\":\"s3:TestEvent\",\"Time\":\"2020-12-29T18:53:47.874Z\",\"Bucket\":\"s3-event-notification-test-bucket-xxxxxxxx\",\"RequestId\":\"...\",\"HostId\":\"...\"}"
    }
  ]
}

Cleaning Up

Clean up the provisioned AWS resources with the following command.

aws cloudformation delete-stack --stack-name s3-event-notification-test

Conclusion

Please handle the s3:TestEvent properly, otherwise it may have bad effects to your systems.

I hope you will find this post useful.

Takahiro Iwasa

Takahiro Iwasa

Software Developer at KAKEHASHI Inc.
Involved in the requirements definition, design, and development of cloud-native applications using AWS. Now, building a new prescription data collection platform at KAKEHASHI Inc. Japan AWS Top Engineers 2020-2023.