I'm turning on SSE for two SQS queues.
The first queue is subscribed to an SNS and has a lambda trigger. The second queue doesn't have SNS subscription and only has a lambda trigger.
It seems I can use the default AWS managed key aws/sqs for the 2nd queue without giving the lambda execution role permissions to the key. However, for the first queue, as this AWS page suggests, I need to use a Customer-managed key.
My questions is why do I need a customer-managed key with an extra key policy to allow SNS to access the encrypted SQS but I don't need it for lambda to access the encrypted SQS?
