Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[sqs] Circular dependency between resources when encrypting sqs queue with kms and assigning target to rule

See original GitHub issue

I am setting up an event bridge rule that will forward events from Macie to sqs. Everything works fine until I add encryptionMasterKey to the queue. I either have to remove the .encryptionMasterKey or remove the .target() to avoid circular dependency error.

Reproduction Steps

val queue = Queue.Builder.create(scope, "MacieReportQueue")
             // TODO: FIXME: KMS Circular dependency error when combined with target

     val target = SqsQueue.Builder.create(queue).build()

     val rule = Rule.Builder.create(scope, "MacieToSqsEventBridgeRule")
             .description("Sends messages to SQS if Macie finds sensitive information")

CF Graph

What did you expect to happen?

No circular dependency error. Queue should be encrypted.

What actually happened?

Circular dependency between resources: [MacieReportQueue7D1A954B, MacieReportQueuePolicy84D89C73, MacieToSqsEventBridgeRule498CF606, MacieReportQueueKeyAliasA0A0C899, MacieReportQueueKeyF608AAD8]


  • **CLI Version :1.67.0 (build 2b4dd71)
  • **Framework Version:1.67.0
  • Node.js Version: v14.13.1
  • OS : Mac 10.14.6
  • Language (Version): Java 8


This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:13 (6 by maintainers)

github_iconTop GitHub Comments

sudoplacommented, Nov 30, 2021

I’m using the CFN class to circumvent this problem for now.

const cfnRule = eventRule.node.defaultChild as events.CfnRule
cfnRule.targets = [
        arn: queue.queueArn,
        id: 'EventQueue-Target',

You will also need to define the following permissions

// Gives EventBridge rule permission to send message to queue target            
queue.addToResourcePolicy(new iam.PolicyStatement({
    actions: ['sqs:SendMessage'],
    resources: [queue.queueArn],
    principals: [new iam.ServicePrincipal('')],
    conditions: {
        'ArnEquals': {'aws:SourceArn': eventRule.ruleArn}
// Give EventBridge access to KMS key
sqsKmsKey.addToResourcePolicy(new iam.PolicyStatement({
    principals: [new iam.ServicePrincipal('')],
    actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
    resources: ['*']
madeline-kcommented, May 10, 2021

Taking a look at this one. I’m planning to remove the condition from being added here: in the case where the queue is encrypted.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Key management - Amazon Simple Queue Service
The policy for this KMS key includes permissions for all principals in the account (that are authorized to use Amazon SQS) to use...
Read more >
How to solve circular dependency between AWS resources ...
I enabled encryption on the S3 and SQS resources. When I enabled the notification from S3 to SQS, I am getting a circular...
Read more >
SQS Queues as an EventBridge Rule Target (with ...
In this article, I show you how to set up SQS queues and SQS FIFO queues as a target of an Event Bridge...
Read more >
@aws-cdk/aws-sqs | Yarn - Package Manager
Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, ...
Read more >
This module provides the ability to manage AWS resources
In the simplest case, this allows you to create new EC2 instances from Puppet code. More importantly, it allows you to describe your...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found