Clever Geek Handbook

How do I write an encrypted SQS policy statement for S3 events?

I have an SQS that is used to have the following policy document. to receive S3 events from a bucket:

{
  "Version": "2008-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    }
  ]
}

I have now enabled Server Side Encryption (SSE) for the queue. And I followed this document for writing a policy instruction for encryption. The policy statement now looks like this:

{
  "Version": "2008-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:<>:cypher-queue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:cypher-secondarybucket"
        }
      }
    }
  ]
}

But now the queue doesn't receive any messages from the bucket when adding files. Is there something wrong that I did with the permissions?

+3


source to share


1 answer


I missed the next announcement of the same article . A very stupid mistake on my part. We'll have to wait for S3 events to be sent to encrypted SQS.



The following AWS service features are not currently compatible with encrypted queues:

Amazon CloudWatch Events

Amazon S3 Event Notifications

Amazon SNS Topic Subscription

Lifecycle hooks auto scaling

AWS IoT Rule Actions

AWS Lambda Dead-Letter Queues

+2


source






More articles:


All Articles