Why aren't messages that I publish to my Amazon SNS topic getting delivered to my subscribed Amazon SQS queue that has server-side encryption (SSE) enabled?

Last updated: 2019-09-27

When I publish messages to my Amazon Simple Notification Service (Amazon SNS) topic, they aren't being delivered to my subscribed Amazon Simple Queue Service (Amazon SQS) queue that has server-side encryption (SSE) enabled. How do I fix this?

Resolution

Your Amazon SQS queue must use a customer master key (CMK) with a custom key policy that gives Amazon SNS sufficient key usage permissions. Those permissions aren't included in the key policy of the default AWS managed CMK for Amazon SQS, and you can't modify that key policy.

Create a new CMK with a key policy that has the required permissions for Amazon SNS. Then configure SSE for your Amazon SQS queue using that custom CMK. For more information and setup instructions, see Tutorial: Enabling Server-Side Encryption (SSE) for an Amazon SNS Topic with an Encrypted Amazon SQS Queue Subscribed.

Tip: To troubleshoot other message delivery issues, you can use Amazon SNS message delivery status logging.