Reputation: 2928
S3 Event notification to KMS_MANAGED encrypted SQS queue (in CDK) not working
I have an architecture developed with CDK with a S3 bucket and an event notification which will send a message to a SQS for each uploaded file to S3.
It works fine.
Now I'm trying to activate the encryption and I have the following:
- for S3 -> I have activated the encryption using S3_MANAGED key and everything works fine
- for SQS -> I have activated the encryption using KMS_MANAGED key and there is no message sent to SQS.
So I'm assuming some permissions are missing but I don't know how to fix it.
Do I need to add missing permissions to SQS to read from S3? Or permissions to S3 to send messages to a encrypted SQS?
Upvotes: 1
Views: 1603
Answers (1)
Reputation: 25639
TL;DR S3 Notifications don't work with sqs.QueueEncryption.KMS_MANAGED. Use a customer-managed key to encrypt the queue.
The default AWS managed KMS key can't be modified. You must use a customer managed key ... and add permissions to the KMS key to allow access to a specified service principal.
Here's a minimal working example:
// S3 Notifications to a Encrypted Queue
export class S3SqsStack extends cdk.Stack {
constructor(scope: Construct, id: string, props: cdk.StackProps) {
super(scope, id, props);
const bucket = new s3.Bucket(this, 'MyBucket', {
encryption: s3.BucketEncryption.S3_MANAGED,
});
// https://aws.amazon.com/premiumsupport/knowledge-center/sqs-s3-event-notification-sse/
const key = new kms.Key(this, 'MyCustomerKey', {
policy: new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
actions: ['kms:GenerateDataKey', 'kms:Decrypt'],
resources: ['*'], // avoid circularity by not limiting the resource
principals: [new iam.ServicePrincipal('s3.amazonaws.com')],
}),
],
}),
});
const queue = new sqs.Queue(this, 'MyQueue', {
encryption: sqs.QueueEncryption.KMS,
encryptionMasterKey: key,
});
bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.SqsDestination(queue));
}
}
Upvotes: 5
Related Questions
- AWS CDK - How to add an event notification to an existing S3 Bucket
- Unable to attach Amazon SQS to Amazon S3 event notification
- Unable to configure SQS queue notification in S3
- Setting up an s3 event notification for an existing bucket to SQS using cdk is trying to create an unknown lambda function
- Encrypted bucket notifications from S3 to SQS
- How to Interact with an Encrypted SQS Queue? KMS Key Access not Working
- S3 and encrypted SQS integration issue
- aws cloudformation s3 event notification to SQS not working
- S3 event notification only sends metadata to SQS
- AWS: Cannot encrypt an S3 object using my own KMS key