diff --git a/cloudtrail/sns.s3.tf b/cloudtrail/sns.s3.tf
index 34a59b7..9de03d3 100644
--- a/cloudtrail/sns.s3.tf
+++ b/cloudtrail/sns.s3.tf
@@ -58,8 +58,8 @@ data "aws_iam_policy_document" "cloudtrail_s3_topic" {
     ##       values   = [local.account_id]
     ##     }
     condition {
-      test     = "ArnLike"
-      variable = "AWS:SourceArn"
+      test     = ""
+      variable = "aws:SourceArn"
       values   = [aws_s3_bucket.this.arn]
     }
   }
diff --git a/cloudtrail/sqs.s3.tf b/cloudtrail/sqs.s3.tf
index 61c5114..23edc76 100644
--- a/cloudtrail/sqs.s3.tf
+++ b/cloudtrail/sqs.s3.tf
@@ -93,6 +93,21 @@ data "aws_iam_policy_document" "cloudtrail_s3_sqs" {
       values   = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
     }
   }
+  statement {
+    sid    = "AllowSQSS3SendMessage"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
+    }
+    actions   = ["sqs:SendMessage"]
+    resources = [var.enable_s3_sqs ? aws_sqs_queue.cloudtrail_s3[0].arn : ""]
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
+    }
+  }
 }
 
 resource "aws_sns_topic_subscription" "cloudtrail_s3_sqs" {