How can I troubleshoot Amazon SQS issues that have SSE activated?

2 minute read
0

I can't send messages to my Amazon Simple Queue Service (Amazon SQS) queue that has server-side encryption (SSE) activated.

Resolution

Amazon SNS topics

If you use an Amazon Simple Notification Service (Amazon SNS) topic to publish messages to an Amazon SQS queue, then additional configuration might be required. For example, your Amazon SQS queue must use an AWS Key Management Service (AWS KMS) customer managed key.

For more information, see Why aren't messages that I publish to my Amazon SNS topic getting delivered to my subscribed Amazon SQS queue that has server-side encryption activated?

"AccessDenied" or "AccessDeniedException" errors

If you received the AccessDenied or AccessDeniedException error, then additional permissions or configuration might be required. For more information, see How do I troubleshoot "AccessDenied" or "AccessDeniedException" errors on Amazon SQS API calls?

InvalidStateException errors

The SendMessage API call to the Amazon SQS queue returns this error:

"KMS.InvalidStateException. Error message: arn:aws:kms:us-east-1:xxxx:key/xxxx is pending deletion. (Service: AWSKMS; Status Code: 400; Error Code: KMSInvalidStateException; Request ID: f9abfcad-7c25-xxxx-9xxx-aexxxyyxxe1; Proxy: null)"

The customer managed key must be in the Activated state so that the producer can perform the GenerateDataKey and Decrypt API actions. The GenerateDataKey and Decrypt API actions encrypt the messages before they're sent to the Amazon SQS queue.

To understand how the key state affects AWS KMS API calls, review the key state table.

DisabledException errors

The SendMessage API call to the Amazon SQS queue returns this error:

"Error code: KMS.DisabledException. Error message: arn:aws:kms:us-east-1:xxxx:key/xxxx is disabled. (Service: AWSKMS; Status Code: 400; Error Code: DisabledException; Request ID: f9abfcad-7c25-xxxx-9xxx-aexxxyyxxe1; Proxy: null)"

Amazon SQS moves the customer managed key to the Disabled state when you stop the key deletion. Before you publish messages to the Amazon SQS queue, check the state of the customer managed key that you use for encryption. If the customer managed key is deactivated, then activate it. Then, try to publish the message again to the Amazon SQS queue.

Related information

Why aren't Amazon S3 event notifications delivered to an Amazon SQS queue that uses server-side encryption?

Encryption at rest

Key states of AWS KMS keys

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago