I successfully created a lambda function and S3 bucket using a cloudformation stack. I then ran an update to the stack to add a trigger to the S3 bucket to invoke a lambda function.

When I run the update it's giving the following error:

Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: XXXXX; S3 Extended Request ID: XXXXX

This is the update JSON I'm using to add the trigger to the S3 bucket:

   "MyBucket": {
        "Type": "AWS::S3::Bucket",
        "Properties": {
            "BucketName":  "my-bucket",
            "NotificationConfiguration": {
                "LambdaConfigurations": [
                    {
                        "Event": "s3:ObjectCreated:*",
                        "Function": "arn:aws:lambda:ap-southeast-2:my-lambda-arn"
                    }
                ]
            }

I then added an IAM role to give access to the S3 bucket to invoke a lambda function:

"ResourceAccess": {
    "Type": "AWS::IAM::Role",
    "Properties": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": [
                            "lambda.amazonaws.com"
                        ]
                    },
                    "Action": [
                        "sts:AssumeRole"
                    ]
                }
            ]
        },
        "Path": "/",
        "Policies": [
            {
                "PolicyName": "giveaccesstodeltas3",
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": "s3.amazonaws.com"
                            },
                            "Action": "lambda:InvokeFunction",
                            "Resource": "arn:aws:lambda:ap-southeast-2:my-lambda-arn",
                            "Condition": {
                                "StringEquals": {
                                    "AWS:SourceAccount": "123456"
                                },
                                "ArnLike": {
                                    "AWS:SourceArn": "arn:aws:s3:::my-bucket"
                                }
                            }
                        }
                    ]
                }
            }
       ]
    }

It's giving an error saying:

Policy document should not specify a principal. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: XXXXXX)

In order to add this trigger, you must give your S3 bucket permission to invoke the lambda function. In addition, your lambda must have permission to invoke whatever services it affects. My guess is you are missing the first permissions to give: permissions for your S3 bucket to invoke your lambda function.

You can create a policy similar to the following to give the appropriate permissions to your S3 bucket:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "<optional>",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "<ArnToYourFunction>",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "<YourAccountId>"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:::<YourBucketName>"
        }
      }
    }
  ]
}

See this AWS documentation for more info.