How can I troubleshoot Amazon SQS issues that have SSE activated?

2 minute read

I can't send messages to my Amazon Simple Queue Service (Amazon SQS) queue that has server-side encryption (SSE) activated.

Resolution

Amazon SNS topics

If you use an Amazon Simple Notification Service (Amazon SNS) topic to publish messages to an Amazon SQS queue, then additional configuration might be required. For example, your Amazon SQS queue must use an AWS Key Management Service (AWS KMS) customer managed key.

For more information, see Why aren't messages that I publish to my Amazon SNS topic getting delivered to my subscribed Amazon SQS queue that has server-side encryption activated?

"AccessDenied" or "AccessDeniedException" errors

If you received the AccessDenied or AccessDeniedException error, then additional permissions or configuration might be required. For more information, see How do I troubleshoot "AccessDenied" or "AccessDeniedException" errors on Amazon SQS API calls?

InvalidStateException errors

The SendMessage API call to the Amazon SQS queue returns this error:

"KMS.InvalidStateException. Error message: arn:aws:kms:us-east-1:xxxx:key/xxxx is pending deletion. (Service: AWSKMS; Status Code: 400; Error Code: KMSInvalidStateException; Request ID: f9abfcad-7c25-xxxx-9xxx-aexxxyyxxe1; Proxy: null)"

The customer managed key must be in the Activated state so that the producer can perform the GenerateDataKey and Decrypt API actions. The GenerateDataKey and Decrypt API actions encrypt the messages before they're sent to the Amazon SQS queue.

To understand how the key state affects AWS KMS API calls, review the key state table.

DisabledException errors

The SendMessage API call to the Amazon SQS queue returns this error:

"Error code: KMS.DisabledException. Error message: arn:aws:kms:us-east-1:xxxx:key/xxxx is disabled. (Service: AWSKMS; Status Code: 400; Error Code: DisabledException; Request ID: f9abfcad-7c25-xxxx-9xxx-aexxxyyxxe1; Proxy: null)"

Amazon SQS moves the customer managed key to the Disabled state when you stop the key deletion. Before you publish messages to the Amazon SQS queue, check the state of the customer managed key that you use for encryption. If the customer managed key is deactivated, then activate it. Then, try to publish the message again to the Amazon SQS queue.

Related information

Why aren't Amazon S3 event notifications delivered to an Amazon SQS queue that uses server-side encryption?

Encryption at rest

Key states of AWS KMS keys

Topics

Serverless Application Integration

Relevant content

How do I set Amazon SNS as Notification(Channel) in an Amazon Opensearch???
cute
asked 5 months ago
Duplicate Message Received by using SQS/SNS
HQ_NG
asked 10 months ago
Publish to SNS topic using curl
Rich650
asked 5 years ago
How can I do sms marketing using the Amazon SNS service?
ekremgunden
asked 9 months ago
inconsistency of SQS (Simple Queue Service) message reception from SNS (Simple Notification Service) fan-out
Accepted Answer
Vijay Anbu
asked 2 months ago
How can I set up Amazon SES bounce notifications using an Amazon SNS topic?
AWS OFFICIALUpdated 2 years ago
How can I get my Amazon SQS subscription to successfully receive a notification from my Amazon SNS topic?
AWS OFFICIALUpdated 7 months ago
Why can't Amazon SES publish data to an Amazon SNS topic?
AWS OFFICIALUpdated 9 months ago
Why aren't messages that I publish to my Amazon SNS topic getting delivered to my subscribed Amazon SQS queue that has server-side encryption activated?
AWS OFFICIALUpdated 4 months ago
AWS B2B Data Interchange now publishes events to Amazon EventBridge
EXPERT
AWS
published a month ago