diff --git a/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts b/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts
index e4cee142a86ee..d1e4f1abf1bc9 100644
--- a/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts
+++ b/packages/@aws-cdk/aws-s3-notifications/test/queue.test.ts
@@ -106,6 +106,7 @@ test('if the queue is encrypted with a custom kms key, the key resource policy i
         },
         {
           Action: [
+            'kms:Decrypt',
             'kms:Encrypt',
             'kms:ReEncrypt*',
             'kms:GenerateDataKey*',
diff --git a/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json b/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json
index 1f71577dc2e63..88e05950c5c56 100644
--- a/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json
+++ b/packages/@aws-cdk/aws-s3-notifications/test/sqs/integ.bucket-notifications.expected.json
@@ -292,6 +292,7 @@
             },
             {
               "Action": [
+                "kms:Decrypt",
                 "kms:Encrypt",
                 "kms:ReEncrypt*",
                 "kms:GenerateDataKey*"
diff --git a/packages/@aws-cdk/aws-sqs/lib/queue-base.ts b/packages/@aws-cdk/aws-sqs/lib/queue-base.ts
index 955afd6644701..40205dab1959b 100644
--- a/packages/@aws-cdk/aws-sqs/lib/queue-base.ts
+++ b/packages/@aws-cdk/aws-sqs/lib/queue-base.ts
@@ -194,9 +194,9 @@ export abstract class QueueBase extends Resource implements IQueue {
       'sqs:GetQueueUrl');
 
     if (this.encryptionMasterKey) {
-      this.encryptionMasterKey.grantEncrypt(grantee);
+      // kms:Decrypt necessary to execute grantsendMessages to an SSE enabled SQS queue
+      this.encryptionMasterKey.grantEncryptDecrypt(grantee);
     }
-
     return ret;
   }
 
@@ -234,7 +234,6 @@ export abstract class QueueBase extends Resource implements IQueue {
     });
   }
 }
-
 /**
  * Reference to a queue
  */
diff --git a/packages/@aws-cdk/aws-sqs/test/test.sqs.ts b/packages/@aws-cdk/aws-sqs/test/test.sqs.ts
index dba63232abcbc..baef7fa8bb2e4 100644
--- a/packages/@aws-cdk/aws-sqs/test/test.sqs.ts
+++ b/packages/@aws-cdk/aws-sqs/test/test.sqs.ts
@@ -272,6 +272,7 @@ export = {
             },
             {
               'Action': [
+                'kms:Decrypt',
                 'kms:Encrypt',
                 'kms:ReEncrypt*',
                 'kms:GenerateDataKey*',