[cloudwatch] SQS connected to SNS don't receive data when using KMS

[du291]

When SQS is configured with QueueEncryption.KMS and master key is set, it does not successfully receive data from SNS that it is subscribed to.

Reproduction Steps

topic = aws_sns.Topic(self.stack, 'alarm-topic',
                              display_name='Topic for alarms',
                              topic_name=self.alarms_topic_name)
queue = aws_sqs.Queue(self.stack, 'alarm-queue',
                              encryption=aws_sqs.QueueEncryption.KMS,
                              encryption_master_key=key,
                              retention_period=core.Duration.days(7),
                              queue_name=self.alarms_queue_name
                              )
topic.add_subscription(aws_sns_subscriptions.SqsSubscription(queue))

What did you expect to happen?

Successfully retrieve message from SQS

What actually happened?

When the SNS has delivery logs enabled, the following failure appears in the log:

{
"notification": {
"messageMD5Sum": "2bc17714a33dbaf9dbe6a57a8410eb7f",
"messageId": "054099fb-9d8e-5f40-b657-c1eb69e60b29",
"topicArn": "[SNS ARN]",
"timestamp": "2020-10-26 15:58:32.47"
},
"delivery": {
"deliveryId": "c894a538-64e0-5577-b85d-fd2890888698",
"destination": "[SQS ARN],
"providerResponse": "{"ErrorCode":"KMS.AccessDeniedException","ErrorMessage":"null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 9582607-3c84-4f8e-8d4b-fa9932c21146; Proxy: null)","sqsRequestId":"Unrecoverable"}",
"dwellTimeMs": 66,
"attempts": 1,
"statusCode": 400
},
"status": "FAILURE"
}

Environment

CLI Version : 1.70
Framework Version: Python 3.8.5
Node.js Version: v14.11.0
OS : Linux
Language (Version): Python (3.8.5)

Other

---

This is 🐛 Bug Report

[rix0rrr]

I would think that the key needs a permission added to have the SNS service principal be able to encrypt using it.

[rrhodes]

I may be mistaken, but this sounds like a duplicate of #2504.

[sekhavati]

Experiencing the same issue when using QueueEncryption.KMS_MANAGED on SQS

[HansFalkenberg-Visma]

I agree with rrhodes, this was fixed by #2504 released in https://github.com/aws/aws-cdk/releases/tag/v1.111.0 (July 2nd 2021).

I am guessing sekhavati either used an old version, or did not specify encryptionMasterKey. You must use a custom CMK, not an AWS key, as will be verified if #19796 is implemented.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.