Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

grantSendMessages of encrypted SQS to Lambda function not generating kms:Decrypt permission

See original GitHub issue

General Issue

We deployed a SQS queue to Account-A that is encrypted with a CMK that resides in Account-B. Permissions of CMK are set to grant allow kms:* to AccountPrincipal(‘Account-A’). Then we instantiate ourLambda function that is granted write permissions to ourQueue using ourQueue.grantSendMessages(ourLambda).

const sqsKey = Key.fromKeyArn('arn:aws:kms:eu-central-1:0987654321:key/ourKeyId');

const ourQueue = new Queue(this, 'OurQueue', {
    encryption: QueueEncryption.KMS,
    encryptionMasterKey: sqsKey

const ourLambda = new Function(this, 'OurLambda', {...});


This results in

"Action": [
"Resource": "arn:aws:kms:eu-central-1:0987654321:key/ourKeyId",
"Effect": "Allow"

being added to ourLambdaExecutionRoleDefaultPolicy.

Lambda function execution failed with KMS AccessDeniedException when sending a message to ourQueue.

After adding


the lambda function executes successfully.

The Question

Is kms:Decrypt strictly necessary to execute sendMessage to an SSE enabled SQS queue? Is this due to the CMK residing in a seperate AWS account? If so, should kms:Decrypt be added to the Lambda execution role policy when Queue.grantSendMessage(Lambda) is used?


  • CDK CLI Version: 1.27.0 (build a98c0b3)
  • Module Version: 1.27.0
  • OS: Windows 10
  • Language: TypeScript

Other information

Thanks for the good work!

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:2
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

csbszbcommented, Sep 3, 2020

I have the same issue when I create a FIFO queue with an EventBus target and set the following encryption value: encryption: sqs.QueueEncryption.KMS_MANAGED

I followed the instruction in this article but this also didn’t fix the problem.

When I change the encryption back to unencrypted, the messages are delivered to the queue.

ishassancommented, Apr 22, 2020

In my case, everything is in the same account, yet a decrypt permission is still required to send messages.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Managing access to your encrypted Amazon SQS queue ...
Grant Amazon SNS KMS permissions to Amazon SNS to publish messages to the queue. Allow consumers to decrypt messages from the queue. Grant...
Read more >
Send message to encrypted SQS queue from Lambda
I have a AWS Lambda function that needs to send messages to an encrypted SQS queue. At one point I got it working...
Read more >
Building serverless applications with the AWS CDK
We create an API Gateway endpoint that invokes a Lambda function. ... SQS also needs to the permissions the invoke the second Lambda ......
Read more >
Send message to encrypted SQS queue from AWS accounts ...
The publisher must have permission for kms:Decrypt to send a message; The SQS resource policy works with aws:PrincipalOrgId the policy condition, but not...
Read more >
Configuring a queue to trigger an Amazon Lambda function ...
sqs :ReceiveMessage. If you associate an encrypted queue with a Lambda function, add the kms:Decrypt permission to the Lambda execution role ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found