AWS: forward event bridge event to encrypted SQS (Amazon managed key)

Question

I have an event bus and created an event rule that forwards events to an SQS queue. Now I enabled encryption for my queue, using the default amazon-managed key (alias/aws/sqs).

After enabling encryption, the events are not forwarded anymore. Researching the AWS docs I could only find info about using a CMK for encryption, but no info regarding the amazon managed key.

I guess it's a permission issue, but not sure. This is my event rule and the access policy

  queueCreateInvoiceEvent:
    Type: AWS::Events::Rule
    DependsOn: [myQueue]
    Properties:
      Description: Forward INVOICE_CREATED event to SQS queue
      EventBusName: ${self:custom.eventBus.name}
      EventPattern: { "detail-type": ["INVOICE_CREATED"] }
      Name: ${self:service.name}-${self:provider.stage}-buffer-invoice-created-event
      State: ENABLED
      Targets:
        - Id: myQueue
          Arn:
            Fn::GetAtt: [myQueue, Arn]


  createReceiptQueueAccessPolicy:
    Type: AWS::SQS::QueuePolicy
    DependsOn: [queueCreateInvoiceEvent, myQueue]
    Properties:
      Queues:
        - { Ref: createReceiptQueue }
      PolicyDocument:
        Id: EventBridgeSqsAccessPolicy
        Version: "2012-10-17"
        Statement:
          - Sid: Allow-User-SendMessage
            Effect: Allow
            Principal:
              Service: "events.amazonaws.com"
            Action:
              - sqs:SendMessage
            Resource:
              - Fn::GetAtt: ["myQueue", "Arn"]
            Condition:
              ArnEquals:
                aws:SourceArn:
                  - Fn::GetAtt: ["queueCreateInvoiceEvent", "Arn"]

Answer 1

Per the EventBridge troubleshooting page, your KMS key policy needs to allow EventBridge access to the key:

{
    "Sid": "Allow EventBridge to use the key",
    "Effect": "Allow",
    "Principal": {
        "Service": "events.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*"
}

Answer 2

Adding to what was said above but with a little more details. As of today (2022-03-04) you are required to have the following in place to allow EventBridge to send to an encrypted SQS queue. From the AWS docs https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse

Several AWS services act as event sources that can send events to Amazon SQS queues. To allow these event sources to work with encrypted queues, you must create a customer managed KMS key and add permissions in the key policy for the service to use the required AWS KMS API methods.

1. Customer managed KMS key with a policy to allow the events.amazonaws.com certain actions.
2. The SQS queue must then use that KMS key id for encryption.

Here are the two pieces of CloudFormation required.

# KMS key is required to allow eventbridge to send to encrypted sqs queue
# https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse
KmsKey:
  Type: AWS::KMS::Key
  Properties:
    Description: my-key-name
    KeyPolicy:
      Version: "2012-10-17"
      Statement:
        - Sid: Allow EventBridge access
          Effect: Allow
          Principal:
            Service: events.amazonaws.com
          Action:
            - kms:GenerateDataKey
            - kms:Decrypt
          Resource: '*'

        - Sid: Allow access for Key Administrators
          Effect: Allow
          Principal:
            AWS:
              - !Sub arn:aws:iam::${AWS::AccountId}:role/my-role-name
              - !Sub arn:aws:iam::${AWS::AccountId}:root
          Action:
            - kms:*
          Resource: '*'

EventRuleQueue:
  Type: AWS::SQS::Queue
  Properties:
    QueueName: my-queue-name
    KmsMasterKeyId: !Ref KmsKey
    KmsDataKeyReusePeriodSeconds: 43200 # 12 hours to reduce cost