AWS KMS permissions for Amazon SQS message encryption

If you use AWS KMS for Amazon SQS encryption, make sure that you provided the correct key ID for the Tonic Structural environment setting TONIC_LAMBDA_KMS_MASTER_KEY. Also provide Amazon S3 access under your AWS KMS key policy:

{
    "Sid": "Allow access for Amazon S3 Event Notifications to Amazon SQS",
    "Effect": "Allow",
    "Principal": {
        "Service": "s3.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*"
}

Additional key permissions must be added to your Amazon EC2 and Lambda roles:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "<ARN to AWS KMS key>"
        }
    ]
}

Last updated 8 months ago