Why aren't messages that I publish to my Amazon SNS topic getting delivered to my subscribed Amazon SQS queue that has server-side encryption activated?

Lesedauer: 2 Minute

When I publish messages to my Amazon Simple Notification Service (Amazon SNS) topic, they're not delivered to my Amazon Simple Queue Service (Amazon SQS) queue. How do I fix this issue if my Amazon SNS topic or Amazon SQS queue—or both—have server-side encryption (SSE) activated?

Short description

Your Amazon SQS queue must use a AWS KMS key (KMS key) that is customer managed. This KMS key must include a custom key policy that gives Amazon SNS sufficient key usage permissions.

Note: The required permissions aren't included in the default key policy of the AWS managed KMS key for Amazon SQS, and you can't modify this policy.

If your topic has SSE activated, you must also do the following:

Configure AWS Key Management (AWS KMS) permissions that allow your publisher to publish messages to your encrypted topic.


1.    Create a new customer managed KMS key with a key policy that has the required permissions for Amazon SNS.

2.    Configure SSE for your Amazon SQS queue using the custom KMS key you just created.

3.    (If your Amazon SNS topic has SSE activated) Configure AWS KMS permissions that allow your publisher to publish messages to your encrypted topic.

For more information, see Activating server-side encryption (SSE) for an Amazon SNS topic with an encrypted Amazon SQS queue subscribed.

Note: To troubleshoot other message delivery issues, see Amazon SNS message delivery status.

Related information

Encryption at rest for Amazon SQS

Encryption at rest for Amazon SNS data

Configuring server-side encryption (SSE) for an SNS topic

Using key policies in AWS KMS

Encrypting messages published to Amazon SNS with AWS KMS

AWS OFFICIALAktualisiert vor 2 Jahren