Integrating KMS keys with SQS queries, cloudformation being used to deploy resources

0

I need to migrate a team from using non encryption SQS Queue to Customer Managed Keys KMS encryption.

I have a Cloud Formation template to deploy a CMK in Sandbox and Any IAM roles associated with that SQS Queue needs to be able to access the KMS key.

1回答
0

Hello,

Yes, producers and consumers of the queue need KMS permissions on key used for encrypting SQS queue in order to be able to send and receive messages from the queue. If appropriate KMS permissions are missing, KMSAccessDeniedException will be encountered.

Please note the permissions needed by producer to send messages to an encrypted SQS queue: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Effect": "Allow", "Action": [ "sqs:SendMessage" ], "Resource": "arn:aws:sqs:*:123456789012:MyQueue" }] }

Below are the permissions needed by consumer to receive messages from encrypted queue:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Effect": "Allow", "Action": [ "sqs:ReceiveMessage" ], "Resource": "arn:aws:sqs:*:123456789012:MyQueue" }] }

In case of same account, these permissions can be added in IAM policies associated with role/user or in respective KMS key policy allowing IAM role/user with specific action.

SQS KMS permissions - https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html

AWS
Anusha
回答済み 9ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ