How do I write the policy statement of an encrypted SQS for S3 events?
This is now possible. From the AWS documentation:
https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#grant-destinations-permissions-to-s3 under the section AWS KMS Key Policy
If the SQS queue is SSE enabled, you can attach the following key policy to the associated AWS Key Management Service (AWS KMS) customer managed customer master key (CMK). The policy grants the Amazon S3 service principal permission for specific AWS KMS actions that are necessary for to encrypt messages added to the queue.
{ "Version": "2012-10-17", "Id": "example-ID", "Statement": [ { "Sid": "example-statement-ID", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*" } ] }
I have missed the following announcement from the same article. A very silly mistake on my part. Will need to wait for sending S3 events to encrypted SQS.
The following features of AWS services aren't currently compatible with encrypted queues:
Amazon CloudWatch Events
Amazon S3 Event Notifications
Amazon SNS Topic Subscriptions
Auto Scaling Lifecycle Hooks
AWS IoT Rule Actions
AWS Lambda Dead-Letter Queues