Auto scaling group not publishing notification to a encrypted sns topic
I have tested the integration between asg and my sns topic working without encryption. However when I encrypted the sns topic with customer managed kms key, I'm no longer receiving notification from asg (confirmed from sns cloudwatch metrics), I have granted asg service permission to generate*, encrypt*, decrypt* permission on the key but still not working. Can you advice anything else I should check?
Reply to first comment:
The account already has full access to the key as admin. I also don't see any relevant cloudtrail event to that key except creation. ASG might not be the service trying to publish to the topic the reason I think it should be asg is before I add encryption I only grant asg permission to publish to the sns topic.
- Newest
- Most votes
- Most comments
Try this ststement on the key policy:
"Statement": [ { "Sid": "Allow Key utilization", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::ACCOUNT_ID:root" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*" },
That would allow all the services in the account to use encrypt/decrypt using the key, ASG might not be the service trying to publish to the topic.
Another thing that helps a lot is to check CloudTrail Event History around the time the message should have sent, including the "Error code" field
Relevant content
- asked 5 years ago
- asked 2 years ago
- asked 2 months ago
- Accepted Answerasked 9 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
