Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[cloudwatch] SQS connected to SNS don't receive data when using KMS

See original GitHub issue

When SQS is configured with QueueEncryption.KMS and master key is set, it does not successfully receive data from SNS that it is subscribed to.

Reproduction Steps

topic = aws_sns.Topic(self.stack, 'alarm-topic',
                              display_name='Topic for alarms',
queue = aws_sqs.Queue(self.stack, 'alarm-queue',

What did you expect to happen?

Successfully retrieve message from SQS

What actually happened?

When the SNS has delivery logs enabled, the following failure appears in the log:

{ “notification”: { “messageMD5Sum”: “2bc17714a33dbaf9dbe6a57a8410eb7f”, “messageId”: “054099fb-9d8e-5f40-b657-c1eb69e60b29”, “topicArn”: “[SNS ARN]”, “timestamp”: “2020-10-26 15:58:32.47” }, “delivery”: { “deliveryId”: “c894a538-64e0-5577-b85d-fd2890888698”, “destination”: "[SQS ARN], “providerResponse”: “{"ErrorCode":"KMS.AccessDeniedException","ErrorMessage":"null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 9582607f-3c84-4f8e-8d4b-fa9932c21146; Proxy: null)","sqsRequestId":"Unrecoverable"}”, “dwellTimeMs”: 66, “attempts”: 1, “statusCode”: 400 }, “status”: “FAILURE” }


CLI Version : 1.70 Framework Version: Python 3.8.5 Node.js Version: v14.11.0 OS : Linux Language (Version): Python (3.8.5)


This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:1
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

rrhodescommented, Jun 14, 2021

I may be mistaken, but this sounds like a duplicate of #2504.

github-actions[bot]commented, Aug 11, 2022


Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Resolve issues receiving SNS notifications for CloudWatch ...
The key policy of the default AWS KMS key for SNS doesn't allow CloudWatch alarms to perform "kms:Decrypt" and "kms:GenerateDataKey" API calls.
Read more >
AWS Cloudwatch can not publish to SNS Topic with SSE
Apparently, CloudWatch can't send messages to encrypted SNS topics according to Protecting Amazon SNS Data Using Server-Side Encryption (SSE) ...
Read more >
class SQS. Client - Boto3 Docs 1.26.36 documentation
The ReceiptHandle is associated with a specific instance of receiving a message. If you receive a message more than once, the ReceiptHandle is...
Read more >
aws_sns_topic_subscription | Resources | hashicorp/aws
If the SNS topic and SQS queue are in different AWS regions, the aws_sns_topic_subscription must use an AWS provider that is in the...
Read more >
Ensure AWS SQS server side encryption is enabled
Open the Amazon SQS console. · Open a Queue and click Edit at the top right. · Expand Encryption and select Enabled. ·...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found