This newer setup requires additional permissions that were not part of the original configuration. Because of this, the system is unable to complete the sync setup and shows the following error about missing SNS permissions.

{"message":"The IAM role does not have the required SNS permissions to enable sync. Please update your CloudFormation stack with the latest template to add SNS permissions.","error":"Bad Request","statusCode" :400}

You may still see files being uploaded from Salesforce to S3, since that part of the integration continues to work independently of the sync setup.

To resolve this issue, you need to update the IAM role used for your S3 connection to include the required SNS permissions.

Step 1: Find the IAM role used for your S3 connection

  1. Go to the AWS account where your S3 integration was set up and open the CloudFormation service.
  2. Locate the stack that was created for the CloudFiles S3 setup and open it. Navigate to the Outputs tab and find the Role ARN. The value will look similar to:

arn:aws:iam::{accountId}:role/{iamRole}

  1. Note the role name after role/.

Step 2: Open the role in AWS IAM

  1. Go to IAMRoles in AWS.
  2. Search for the role using the name you identified from the Role ARN and open it.

Step 3: Add the required SNS permissions

  1. Edit the permissions for this role and add the following policy statement:

{
  "Action": [
    "sns:CreateTopic",
    "sns:DeleteTopic",
    "sns:Subscribe",
    "sns:Unsubscribe",
    "sns:SetTopicAttributes",
    "sns:GetTopicAttributes",
    "sns:ListSubscriptionsByTopic"
  ],
  "Resource": [
    "arn:aws:sns:*:{your-aws-account-id}:CloudFiles-*"
  ],
  "Effect": "Allow"
}

  1. Replace {your-aws-account-id} with your AWS account ID.

This allows CloudFiles to create and manage the SNS topic required for the automated sync setup.

Step 4: Save the changes

  1. Save the updated policy and make sure it is attached correctly to the IAM role.

Step 5: Turn sync back on in CloudFiles

  1. Return to CloudFiles and enable sync toggle for the S3 connection.
  2. The setup should now complete successfully.

Expected result

Once the permissions are updated and sync is enabled, CloudFiles will be able to complete the automated setup and start syncing changes from your S3 bucket.

If the issue continues

If you still see an error, double-check that the permissions were added to the correct IAM role and that the AWS account ID in the policy is correct. You can then try enabling sync again.

If the issue persists, contact support@cloudfiles.io and share the error message along with the Role ARN used for your S3 connection.