grantSendMessages of encrypted SQS to Lambda function not generating kms:Decrypt permission
See original GitHub issueGeneral Issue
We deployed a SQS queue to Account-A that is encrypted with a CMK that resides in Account-B. Permissions of CMK are set to grant allow kms:* to AccountPrincipal(‘Account-A’). Then we instantiate ourLambda function that is granted write permissions to ourQueue using ourQueue.grantSendMessages(ourLambda).
const sqsKey = Key.fromKeyArn('arn:aws:kms:eu-central-1:0987654321:key/ourKeyId');
const ourQueue = new Queue(this, 'OurQueue', {
encryption: QueueEncryption.KMS,
encryptionMasterKey: sqsKey
});
const ourLambda = new Function(this, 'OurLambda', {...});
ourQueue.grantSendMessages(ourLambda);
This results in
"Action": [
kms:Encrypt",
kms:ReEncrypt*",
kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:eu-central-1:0987654321:key/ourKeyId",
"Effect": "Allow"
being added to ourLambdaExecutionRoleDefaultPolicy.
Lambda function execution failed with KMS AccessDeniedException when sending a message to ourQueue.
After adding
sqsKey.grantDecrypt(ourLambda);
the lambda function executes successfully.
The Question
Is kms:Decrypt
strictly necessary to execute sendMessage to an SSE enabled SQS queue? Is this due to the CMK residing in a seperate AWS account?
If so, should kms:Decrypt
be added to the Lambda execution role policy when Queue.grantSendMessage(Lambda) is used?
Environment
- CDK CLI Version: 1.27.0 (build a98c0b3)
- Module Version: 1.27.0
- OS: Windows 10
- Language: TypeScript
Other information
Thanks for the good work!
Issue Analytics
- State:
- Created 4 years ago
- Reactions:2
- Comments:7 (3 by maintainers)
I have the same issue when I create a FIFO queue with an EventBus target and set the following encryption value:
encryption: sqs.QueueEncryption.KMS_MANAGED
I followed the instruction in this article but this also didn’t fix the problem.
When I change the encryption back to unencrypted, the messages are delivered to the queue.
In my case, everything is in the same account, yet a decrypt permission is still required to send messages.