FAQ: Can we encrypt the SNS/SQS in our CloudTrail integration?

Encryption of the SNS/SQS AWS resources is possible, after updating the Customer Managed Key/ AWS Managed Key policy. Here is an example policy we've had success with:

{
  "Sid": "Allow CloudTrail/SNS key use",
  "Effect": "Allow",
  "Principal": {
      "Service": "cloudtrail.amazonaws.com"
  },
  "Action": [
      "kms:GenerateDataKey*",
      "kms:Decrypt"
  ],
  "Resource": "*"
},
{
  "Sid": "Allow SNS/SQS Key Use",
  "Effect": "Allow",
  "Principal": {
      "Service": "sns.amazonaws.com"
  },
  "Action": [
      "kms:Decrypt",
      "kms:GenerateDataKey*"
  ],
  "Resource": "*"
},
{
  "Sid": "Allow SQS/TS key use",
  "Effect": "Allow",
  "Principal": {
      "AWS": "TS_ROLE_ARN_HERE"
  },
  "Action": "kms:Decrypt",
  "Resource": "*"
}
Replace TS_ROLE_ARN_HERE with the IAM role ARN for your integration, giving us the ability to decrypt. Now enabled encryption on the SNS/SQS.

Please contact AIP Support at aipsupport@f5.com with any questions you have. 
Was this article helpful?
0 out of 0 found this helpful