amazon-web-services amazon-s3 encryption amazon-sqs amazon-kms

AWS KMS - why do I need the "kms:Decrypt" permission when I try to encrypt data?

I noticed that in both of the following scenarios:

S3 - PutObject to an encrypted bucket.
SQS - SendMessage to an encrypted queue.

I need to have the kms:Decrypt permission (in addition to the kms:GenerateDataKey permission), otherwise it throws an "unauthorized" exception.

Why would that be the case?

Solution

From AWS:

The call to kms:Decrypt is to verify the integrity of the new data key before using it. Therefore, the producer must have the kms:GenerateDataKey and kms:Decrypt permissions for the customer master key (CMK).

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse