S3 SNS email notifications are not working after enabling SNS encryption

0

Hi Team,

As part of security, I'm trying to implement SNS encryption, but after enabling it, the email is not being triggered. Without encryption, it works fine.

Below are the policies set for the SNS and KMS key. ** SNS Policy**

{
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::1234567895:user/testuser",
        "Service": "s3.amazonaws.com"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish"
      ],
      "Resource": "arn:aws:sns:ap-southeast-2:123456789:sns-email-ses-test",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:::Mybucket"
        }
      }
    }
  ]
}

KMS key Policy

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234444444444:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "AllowSNSAccess",
            "Effect": "Allow",
            "Principal": {
                "Service": "sns.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*"
        }
    ]
}

So kindly assist me to resolve this issue .Also is there any way to view the error that is occurring while publishing the SNS message

2 Answers
0
Accepted Answer

The issue you're experiencing with S3 SNS email notifications not working after enabling SNS encryption is likely due to insufficient permissions in your KMS key policy. While your SNS policy and KMS key policy are partially correct, there are a few adjustments needed to make it work properly.

First, it's important to note that when using server-side encryption for SNS topics, you must use an AWS KMS customer managed key instead of the default AWS managed key. This is because the default key policy doesn't include the necessary permissions for AWS services (like S3 in your case) to perform KMS operations.

To resolve this issue, you need to modify your KMS key policy to allow S3 to use the key for encryption. Add the following statement to your KMS key policy:

{
    "Sid": "Allow S3 to use the key",
    "Effect": "Allow",
    "Principal": {
        "Service": "s3.amazonaws.com"
    },
    "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
    ],
    "Resource": "*"
}

This statement allows the S3 service to generate data keys and decrypt data using your KMS key, which is necessary for the encrypted SNS topic to receive notifications from S3.

Additionally, to troubleshoot and view errors that may occur while publishing SNS messages, you can:

  1. Check Amazon SNS CloudWatch metrics, such as NumberOfMessagePublished, NumberOfNotificationsDelivered, and NumberOfNotificationsFailed.

  2. Enable Amazon SNS topic delivery status logs. This will provide more detailed information about message delivery issues.

  3. Verify that the SNS topic and the S3 bucket are in the same AWS region.

  4. Ensure that the email addresses subscribed to the SNS topic have confirmed their subscription.

By making these adjustments and using these troubleshooting methods, you should be able to resolve the issue with your S3 SNS email notifications when using encryption.
Sources
Troubleshoot encrypted SNS topic not getting notifications from AWS service | AWS re:Post
Walkthrough: Configuring a bucket for notifications (SNS topic or SQS queue) - Amazon Simple Storage Service

profile picture
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
revised 2 months ago
profile picture
EXPERT
revised 2 months ago
0

Amazon SNS only supports symmetric encryption KMS keys. Can you confirm this is the case?

Also check cloudtrail for access denied from KMS and SNS

profile picture
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions