I configured my ElastiCache Redis replication group to send notifications to a SNS topic. The SNS topic is encrypted with a custom KMS key.
But I'm not receiving any notification. Checking the Redis setting, I see the notifications are set as "Inactive". If I try to force it to active, it is put back to Inactive. I guess because Elasticache is not able to send notifications to the topic.
The KMS key has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Default",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "elasticache.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
The SNS topic has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DefaultStatementID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"sns:Subscribe",
"sns:SetTopicAttributes",
"sns:RemovePermission",
"sns:Publish",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes",
"sns:DeleteTopic",
"sns:AddPermission"
],
"Resource": "arn:aws:sns:<region>:<account_id>:<topic_name>",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "<account_id>"
}
}
},
{
"Sid": "elasticache-allow-publish",
"Effect": "Allow",
"Principal": {
"Service": "elasticache.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:<region>:<account_id>:<topic_name>"
}
]
}
Of course, region, account ID and topic name are redacted.
What am I missing?
As per docs
The Amazon SNS topic you are publishing to cannot be encrypted.
SNS topic cannot be encrypted that is why it puts back to inactive.