Unable to attach Amazon SQS to Amazon S3 event notification

Question

I have 2 different buckets. One is able to attach Amazon SQS to event notification and the second doesn't.

SQS permissions is broad enough. It's smth with S3 bucket. But I can't figure it out.

There are no "Deny" clauses in bucket policy. There are several additional ACL though...

This is my Access Policy stored in SQS:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "*",
      "Resource": "*"
    }
  ]
}

This is the error:

Answer 1

Yes, I have seen this before.

You must create an Access Policy on the Amazon SQS queue to permit access by the Amazon S3 bucket.

Here is a sample policy from Granting permissions to publish event notification messages to a destination - Amazon Simple Storage Service :

{
 "Version": "2012-10-17",
 "Id": "example-ID",
 "Statement": [
  {
   "Sid": "example-statement-ID",
   "Effect": "Allow",
   "Principal": {
     "Service": "s3.amazonaws.com"  
   },
   "Action": [
    "SQS:SendMessage"
   ],
   "Resource": "arn:aws:sqs:Region:account-id:queue-name",
   "Condition": {
      "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:awsexamplebucket1" },
      "StringEquals": { "aws:SourceAccount": "bucket-owner-account-id" }
   }
  }
 ]
}

See also: Walkthrough: Configuring a bucket for notifications (SNS topic or SQS queue) - Amazon Simple Storage Service

Answer 2

I contacted AWS Support. There provided undocumented details:

So, each time an S3 event is edited or saved, there will be validation of the current destinations since the PutBucketNotification will replace the existing notification configuration and not update it.

So I had another legacy S3 event that didn't have correct permissions. I removed it, and everything is working right now. Thank you to all who tried to help :)