I have an SQS event set for S3 bucket.When a file with name xyz.txt is uploaded in S3, SQS event is called and then this SQS calls an lambda.
This workflow is working fine.
Now I want to encrypt my SQS Queue for this I am using one of existing CMK "services-cmk". After queue is encrypted S3 is not able to invoke SQS. When I am putting message directly in encrypted SQS its working and lambda also got triggered.
I checked policy of services-cmk and it allows S3.I am not able to find out what I am missing here ?
You have to explicitly specify S3 (using root as Principal is not enough) in your KMS key policy as explained here:
{
"Version": "2012-10-17",
"Id": "example-ID",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
}
]
}