S3 Bucket Event Notifications Enabled
Overview
This check verifies that your Amazon S3 buckets have event notifications configured. Event notifications let you know when important things happen to your data, such as when files are uploaded, deleted, or modified.
Risk
Without event notifications, changes to your S3 buckets go unnoticed. This means:
- You may miss unauthorized file uploads or deletions
- Data pipeline failures could go undetected
- Security incidents may not be caught in time
- Compliance auditing becomes difficult
Remediation Steps
Prerequisites
You need:
- Access to the AWS Console with permissions to modify S3 bucket settings, OR
- AWS CLI configured with appropriate credentials
AWS Console Method
- Open the Amazon S3 console
- Click on the bucket you want to configure
- Go to the Properties tab
- Scroll down to Amazon EventBridge
- Click Edit
- Select On to enable EventBridge notifications
- Click Save changes
That's it! Your bucket will now send events to Amazon EventBridge, where you can route them to other services as needed.
AWS CLI (optional)
Enable EventBridge notifications (simplest approach):
aws s3api put-bucket-notification-configuration \
--bucket <your-bucket-name> \
--notification-configuration '{"EventBridgeConfiguration": {}}' \
--region us-east-1
Enable notifications to an SNS topic:
aws s3api put-bucket-notification-configuration \
--bucket <your-bucket-name> \
--notification-configuration '{
"TopicConfigurations": [
{
"TopicArn": "arn:aws:sns:us-east-1:<account-id>:<topic-name>",
"Events": ["s3:ObjectCreated:*", "s3:ObjectRemoved:*"]
}
]
}' \
--region us-east-1
Enable notifications to an SQS queue:
aws s3api put-bucket-notification-configuration \
--bucket <your-bucket-name> \
--notification-configuration '{
"QueueConfigurations": [
{
"QueueArn": "arn:aws:sqs:us-east-1:<account-id>:<queue-name>",
"Events": ["s3:ObjectCreated:*", "s3:ObjectRemoved:*"]
}
]
}' \
--region us-east-1
Replace placeholders:
<your-bucket-name>- Your S3 bucket name<account-id>- Your AWS account ID<topic-name>or<queue-name>- Your SNS topic or SQS queue name
CloudFormation (optional)
Note: CloudFormation manages the bucket as a resource. To add notifications to an existing bucket, you need to import it into your stack or create a new bucket with notifications enabled.
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with EventBridge notifications enabled
Parameters:
BucketName:
Type: String
Description: Name for the S3 bucket
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref BucketName
NotificationConfiguration:
EventBridgeConfiguration:
EventBridgeEnabled: true
Outputs:
BucketName:
Description: The name of the S3 bucket with event notifications enabled
Value: !Ref S3Bucket
With SNS topic notifications:
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with SNS event notifications
Parameters:
BucketName:
Type: String
Description: Name for the S3 bucket
TopicArn:
Type: String
Description: ARN of the SNS topic for notifications
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref BucketName
NotificationConfiguration:
TopicConfigurations:
- Topic: !Ref TopicArn
Event: s3:ObjectCreated:*
- Topic: !Ref TopicArn
Event: s3:ObjectRemoved:*
Outputs:
BucketName:
Description: The name of the S3 bucket with event notifications enabled
Value: !Ref S3Bucket
Deploy the stack:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name s3-event-notifications \
--parameter-overrides BucketName=<your-bucket-name> \
--region us-east-1
Terraform (optional)
Enable EventBridge notifications for an existing bucket:
variable "bucket_name" {
description = "Name of the S3 bucket to configure notifications for"
type = string
}
resource "aws_s3_bucket_notification" "event_notifications" {
bucket = var.bucket_name
eventbridge = true
}
With SNS topic notifications:
variable "bucket_name" {
description = "Name of the S3 bucket"
type = string
}
variable "sns_topic_arn" {
description = "ARN of the SNS topic for notifications"
type = string
}
resource "aws_s3_bucket_notification" "event_notifications" {
bucket = var.bucket_name
topic {
topic_arn = var.sns_topic_arn
events = ["s3:ObjectCreated:*", "s3:ObjectRemoved:*"]
}
}
With Lambda function:
variable "bucket_name" {
description = "Name of the S3 bucket"
type = string
}
variable "lambda_function_arn" {
description = "ARN of the Lambda function"
type = string
}
resource "aws_s3_bucket_notification" "event_notifications" {
bucket = var.bucket_name
lambda_function {
lambda_function_arn = var.lambda_function_arn
events = ["s3:ObjectCreated:*"]
}
}
Apply the configuration:
terraform init
terraform plan -var="bucket_name=<your-bucket-name>"
terraform apply -var="bucket_name=<your-bucket-name>"
Verification
After enabling event notifications, verify the configuration:
- In the S3 console, open your bucket
- Go to the Properties tab
- Scroll to Amazon EventBridge - it should show On
- Check the Event notifications section for any additional configurations
CLI verification
aws s3api get-bucket-notification-configuration \
--bucket <your-bucket-name> \
--region us-east-1
A properly configured bucket will return a response with EventBridgeConfiguration, TopicConfigurations, QueueConfigurations, or LambdaFunctionConfigurations present.
An empty response {} means no notifications are configured.
Additional Resources
- Amazon S3 Event Notifications
- Using Amazon S3 Event Notifications with Amazon EventBridge
- Supported S3 Event Types
Notes
- EventBridge is recommended: It provides the most flexibility for routing events to multiple destinations and adding filtering rules.
- Destination permissions: If using SNS, SQS, or Lambda, ensure the destination has a resource policy allowing S3 to publish to it.
- Avoid recursive triggers: Be careful when Lambda functions triggered by S3 events write back to the same bucket - this can create infinite loops.
- Event filtering: Use prefix and suffix filters to limit which objects trigger notifications (e.g., only
.csvfiles in a specific folder). - Not supported for directory buckets: Event notifications are only available for general-purpose S3 buckets, not S3 Express One Zone directory buckets.