Why aren’t Amazon S3 event notifications delivered to an Amazon SQS queue that uses server-side encryption?

Last updated: 2021-08-16

Amazon Simple Storage Service (Amazon S3) event notifications aren't getting delivered to my Amazon Simple Queue Service (Amazon SQS) queue. For example, I’m not receiving Amazon S3 ObjectCreated event notifications when an object is uploaded to the S3 bucket. My Amazon SQS queue has server-side encryption (SSE) turned on.

How can I receive S3 event notifications to an Amazon SQS queue that uses SSE?

Resolution

To configure and send S3 event notifications to an Amazon SQS queue that uses SSE, follow these steps:

Create a customer-managed AWS KMS key and configure the key policy

You can encrypt Amazon SQS queues and Amazon Simple Notification Service (Amazon SNS) topics with a customer managed AWS Key Management Service (AWS KMS) key. However, you must grant the Amazon S3 service principal permissions to work with encrypted topics or queues.

Note: The default AWS managed KMS key can't be modified. You must use a customer managed key for the following process and add permissions to the KMS key to allow access to a specified service principal.

To grant the Amazon S3 service principal permissions, add the following statement to the customer managed key policy:

Note: Replace "arn:aws:iam::"111122223333":root" with your root account Amazon Resource Name (ARN).

{
  "Version": "2012-10-17",
  "Id": "example-ID",
  "Statement": [
    {
      "Sid": "example-statement-ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::"111122223333":root"
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}

Create an SQS queue and grant Amazon S3 permissions

1.    Create an Amazon SQS queue configured to use SSE. For more information, see Configuring server-side encryption (SSE) for a queue (console).

2.    To allow Amazon S3 to send messages to the queue, add the following permissions statement to the SQS queue:

Note: Replace the Resource value with your SQS queue ARN, aws:SourceAccount with your AWS source account ID, and aws:SourceArn with your Amazon S3 bucket ARN.

{
  "Version": "2012-10-17",
  "Id": "example-ID",
  "Statement": [
  {
    "Sid": "example-statement-ID",
    "Effect": "Allow",
    "Principal": {
    "Service": "s3.amazonaws.com"
    },
    "Action": "SQS:SendMessage",
    "Resource": "arn:aws:sqs:us-east-1:111122223333:sqs-s3-kms-same-account",
    "Condition": {
    "StringEquals": {
      "aws:SourceAccount": "123456789"
    },
    "ArnLike": {
      "aws:SourceArn": "arn:aws:s3:*:*:hellobucket"
    }
    }
  }
  ]
}

In the preceding example permissions statement, the S3 bucket hellobucket, owned by customer account 123456789, can send ObjectCreated event notifications to the specified SQS queue.

Create an S3 event

To add an Amazon S3 event for your bucket, follow these steps:

1.    Open the S3 console, and then choose the hyperlinked Name for your S3 bucket.

2.    From the Properties tab, choose Create event notification.
For Event name, enter a name.
For Event types, select the event types that you want to receive notifications for.
For Destination, choose SQS queue.
For SQS queue, choose your queue.

3.    Choose Save changes.


Did this article help?


Do you need billing or technical support?