Avoiding Pitfalls with s3:TestEvent in AWS S3 Notifications

Avoiding Pitfalls with s3:TestEvent in AWS S3 Notifications

Takahiro Iwasa
Takahiro Iwasa
2 min read
S3 SQS

Introduction

When configuring event notifications for Amazon S3 buckets, s3:TestEvent messages are automatically sent by S3. Proper handling of these test messages is essential to avoid potential issues in your systems.

Event message structure - Amazon Simple Storage Service
docs.aws.amazon.com docs.aws.amazon.com

Event message structure - Amazon Simple Storage Service

How an event notification message for Amazon S3 is structured.

When you configure an event notification on a bucket, Amazon S3 sends a test message with the s3:TestEvent.

Creating AWS Resources

Follow these steps to create the necessary AWS resources for testing S3 notifications:

CloudFormation Template

Use the following CloudFormation template to create an S3 bucket with an associated SQS queue: (line 11-14)

AWSTemplateFormatVersion: "2010-09-09"
Description: Example of CloudWatch events not queueing to SSE SQS
Resources:
  Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      NotificationConfiguration:
        QueueConfigurations:
          - Event: 's3:ObjectCreated:Put'
            Queue: !GetAtt Queue.Arn
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

  Queue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: s3-event-notification-test-queue
      ReceiveMessageWaitTimeSeconds: 20

  QueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      PolicyDocument:
        Version: '2008-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: s3.amazonaws.com
            Action:
              - SQS:SendMessage
              - SQS:ReceiveMessage
            Resource: !GetAtt Queue.Arn
            Condition:
              StringEquals:
                aws:SourceAccount: !Ref AWS::AccountId
      Queues:
        - !Ref Queue

Deploy the CloudFormation Stack

Deploy the stack using the following command:

aws cloudformation deploy --template-file template.yaml --stack-name s3-event-notification-test

Testing the Configuration

To verify the setup, check the SQS messages using the following command:

aws sqs receive-message --queue-url https://sqs.ap-northeast-1.amazonaws.com/{AccountId}/s3-event-notification-test-queue

You should observe the s3:TestEvent message in the output, even if no objects have been added to the bucket.

{
  "Messages": [
    {
      "MessageId": "...",
      "ReceiptHandle": "...",
      "MD5OfBody": "...",
      "Body": "{\"Service\":\"Amazon S3\",\"Event\":\"s3:TestEvent\",\"Time\":\"2020-12-29T18:53:47.874Z\",\"Bucket\":\"s3-event-notification-test-bucket-xxxxxxxx\",\"RequestId\":\"...\",\"HostId\":\"...\"}"
    }
  ]
}

Cleaning Up Resources

After completing the testing, clean up the resources to avoid unnecessary costs:

aws cloudformation delete-stack --stack-name s3-event-notification-test

Conclusion

Properly handling the s3:TestEvent message is crucial for ensuring the reliability of your S3 notification system. Failure to manage these messages can lead to misinterpretations or unintended consequences in downstream systems.

Happy Coding! 🚀

Takahiro Iwasa

Takahiro Iwasa

Software Developer at KAKEHASHI Inc.
Involved in the requirements definition, design, and development of cloud-native applications using AWS. Now, building a new prescription data collection platform at KAKEHASHI Inc. Japan AWS Top Engineers 2020-2023.