Aws_s3_bucket_notification fails with error InvalidArgument: Unable to validate the following destination configurations

I have the following script that creates an AWS SQS queue, S3 bucket and Event notification:

resource "aws_sqs_queue" "my_queue" {
  name                              = "my-queue"
  receive_wait_time_seconds         = 20
  kms_master_key_id                 = "alias/aws/sqs"
  kms_data_key_reuse_period_seconds = 300
resource "aws_sqs_queue_policy" "my_queue_policy" {
  queue_url =
  policy    = <<POLICY
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": ""
      "Action": "SQS:SendMessage",
      "Resource": "${aws_sqs_queue.my_queue.arn}",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "111111111111"
        "ArnLike": {
          "aws:SourceArn": "${aws_s3_bucket.my_bucket.arn}"

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-bucket"
  grant {
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
    id          =
    server_side_encryption_configuration {
          rule {
             apply_server_side_encryption_by_default {
                  sse_algorithm = "AES256"
resource "aws_s3_bucket_public_access_block" "my_bucket" {
  bucket =
  block_public_acls   = true
  block_public_policy = true
  ignore_public_acls  = true
  restrict_public_buckets = true
resource "aws_s3_bucket_notification" "my_bucket" {
  depends_on = [aws_sqs_queue.my_queue]

  bucket =

  queue {
	id 			=
	queue_arn     = aws_sqs_queue.my_queue.arn
    events        = ["s3:ObjectCreated:*"]

This worked perfectly fine the first time I ran it. Then I needed to alter my my-queue name. So I did and then tried applying my changes again with Terraform. Now it can no longer create the aws_s3_bucket_notification resource. It fails with this:

Error: error putting S3 Bucket Notification Configuration: InvalidArgument: Unable to validate the following d
        status code: 400, request id: ABC...., host id: HGJHKASDGYH...

So then I completely deleted resources above and re run it, I still get the same error that the bucket notification cannot validate.


I managed to solve it. By removing encryption in the tf script I could again add the events. Then i could just add encryption back and rerun to enable encryption again,

1 Like

Spent a day trying to figure this out! Thanks for this post

I hit this one as well. Did you get to the root cause? Thank you!

1 Like