- Newest
- Most votes
- Most comments
The issue you're experiencing with S3 SNS email notifications not working after enabling SNS encryption is likely due to insufficient permissions in your KMS key policy. While your SNS policy and KMS key policy are partially correct, there are a few adjustments needed to make it work properly.
First, it's important to note that when using server-side encryption for SNS topics, you must use an AWS KMS customer managed key instead of the default AWS managed key. This is because the default key policy doesn't include the necessary permissions for AWS services (like S3 in your case) to perform KMS operations.
To resolve this issue, you need to modify your KMS key policy to allow S3 to use the key for encryption. Add the following statement to your KMS key policy:
{
"Sid": "Allow S3 to use the key",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
}
This statement allows the S3 service to generate data keys and decrypt data using your KMS key, which is necessary for the encrypted SNS topic to receive notifications from S3.
Additionally, to troubleshoot and view errors that may occur while publishing SNS messages, you can:
-
Check Amazon SNS CloudWatch metrics, such as NumberOfMessagePublished, NumberOfNotificationsDelivered, and NumberOfNotificationsFailed.
-
Enable Amazon SNS topic delivery status logs. This will provide more detailed information about message delivery issues.
-
Verify that the SNS topic and the S3 bucket are in the same AWS region.
-
Ensure that the email addresses subscribed to the SNS topic have confirmed their subscription.
By making these adjustments and using these troubleshooting methods, you should be able to resolve the issue with your S3 SNS email notifications when using encryption.
Sources
Troubleshoot encrypted SNS topic not getting notifications from AWS service | AWS re:Post
Walkthrough: Configuring a bucket for notifications (SNS topic or SQS queue) - Amazon Simple Storage Service
Amazon SNS only supports symmetric encryption KMS keys. Can you confirm this is the case?
Also check cloudtrail for access denied from KMS and SNS
Relevant content
- asked 3 years ago
- asked 5 years ago
- Accepted Answerasked a year ago
- asked 5 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago