如何使用加密的 DLQ 将 Redrive 策略添加到 SNS

Question

I have an SNS(encrypted with KMS) which is subscribed by two lambdas. I am trying to add a Redrive policy to one of the subscriptions. The DLQ in question is encrypted.

Adding Redrive policy is giving me an error 'Couldn't check Amazon SQS queue permissions. Make sure that the queue exists and that your account has permission to read the attributes of the queue. To allow an Amazon SNS topic to send messages to an Amazon SQS queue, you must create an Amazon SQS queue policy'

I have tried giving SNS decrypt permission on the DLQ Queue. But no luck. Any leads?

Answer 1

Seems like the functionality is working even if it shows an alert in console. The messages get sent to DLQ on lambda failures even though the console shows an alert.

Answer 2

I've reached out to AWS Support, and it's a known UI issue. And as of now, there is still no ETA confirmed for the fix.

To workaround, however, you could change SQS Access Policy Principal section from

"Principal": {
  "Service": "sns.amazonaws.com"
},

to

"Principal": "*",

Answer 3

Presuming you have used the SQS queue policy from the AWS documentation with the principal "Service":"sns.amazonaws.com" then the error message is caused by the fact that the console uses an IAM policy simulation but no principal is being passed.

Changing the principal to "AWS":"*" will allow the policy simulation to succeed and therefore remove the error.

Using the wildcard is safe provided you have a condition which limits access from the specific SNS topic only, as outlined in the prerequisites in AWS's documentation .