Here's the full scenario. My use case requires SNS & SQS with SSE enabled. We are using BYOK KMS keys stored in a central security managed KMS account. Both the SNS Topic and SQS are accessing the key from the same application account. The policy has the following to allow access (note: this isn't the full policy, just the relevant cross account and SNS/SQS stuff):
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::112233445566:role/XYZ",
"arn:aws:iam::778899110022:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow Amazon SNS to use this key",
"Effect": "Allow",
"Principal": {
"Service": [
"sns.amazonaws.com",
"sqs.amazonaws.com"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*"
}
]
}
No matter what I try, I get the following error from SQS trying to read the message:
"{\"ErrorCode\":\"KMS.AccessDeniedException\",\"ErrorMessage\":\"null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: blahblahblah)\",\"sqsRequestId\":\"Unrecoverable\"}"
All this said... when I create my own key within the KMS account and use that key, I am successful. Unfortunately, our security policy requires the use of their KMS keys. Would appreciate any insight.
