Why aren't messages that I publish to my Amazon SNS topic getting delivered to my subscribed Amazon SQS queue that has server-side encryption activated?

2 minute read
0

I want to resolve why the messages I publish to my Amazon Simple Notification Service (Amazon SNS) topic aren't delivered to my Amazon Simple Queue Service (Amazon SQS) queue that has server-side encryption (SSE) activated.

Short description

Your Amazon SQS queue must use an AWS KMS key (KMS key) that is customer managed. This KMS key must include a custom key policy that gives Amazon SNS sufficient key usage permissions.

Note: The required permissions aren't included in the default key policy of the AWS managed KMS key for Amazon SQS, and you can't modify this policy.

If your topic has SSE activated, then you must also do the following:

Configure AWS Key Management (AWS KMS) permissions that allow your publisher to publish messages to your encrypted topic.

Resolution

Complete the following steps:

  1. Create a new customer managed KMS key with a key policy that has the required permissions for Amazon SNS.
  2. Configure SSE for your Amazon SQS queue using the custom KMS key that you just created.
  3. If your Amazon SNS topic has SSE activated: Configure AWS KMS permissions that allow your publisher to publish messages to your encrypted topic.

For more information, see Activating server-side encryption (SSE) for an Amazon SNS topic with an encrypted Amazon SQS queue subscribed.

Note: To troubleshoot other message delivery issues, see Amazon SNS message delivery status.

Related information

Encryption at rest for Amazon SQS

Encryption at rest for Amazon SNS data

Configuring server-side encryption (SSE) for an SNS topic

Using key policies in AWS KMS

Encrypting messages published to Amazon SNS with AWS KMS

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago