- 最新
- 最多得票
- 最多評論
Hello,
Yes, producers and consumers of the queue need KMS permissions on key used for encrypting SQS queue in order to be able to send and receive messages from the queue. If appropriate KMS permissions are missing, KMSAccessDeniedException will be encountered.
Please note the permissions needed by producer to send messages to an encrypted SQS queue:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Effect": "Allow", "Action": [ "sqs:SendMessage" ], "Resource": "arn:aws:sqs:*:123456789012:MyQueue" }] }
Below are the permissions needed by consumer to receive messages from encrypted queue:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, { "Effect": "Allow", "Action": [ "sqs:ReceiveMessage" ], "Resource": "arn:aws:sqs:*:123456789012:MyQueue" }] }
In case of same account, these permissions can be added in IAM policies associated with role/user or in respective KMS key policy allowing IAM role/user with specific action.
SQS KMS permissions - https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html
相關內容
- 已提問 6 個月前
- AWS 官方已更新 7 個月前
- AWS 官方已更新 2 年前
- AWS 官方已更新 6 個月前
- AWS 官方已更新 1 年前