How do I write the policy statement of an encrypted SQS for S3 events?

This is now possible. From the AWS documentation:

https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#grant-destinations-permissions-to-s3 under the section AWS KMS Key Policy

If the SQS queue is SSE enabled, you can attach the following key policy to the associated AWS Key Management Service (AWS KMS) customer managed customer master key (CMK). The policy grants the Amazon S3 service principal permission for specific AWS KMS actions that are necessary for to encrypt messages added to the queue.
{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
    ]
}

I have missed the following announcement from the same article. A very silly mistake on my part. Will need to wait for sending S3 events to encrypted SQS.

The following features of AWS services aren't currently compatible with encrypted queues:

Amazon CloudWatch Events

Amazon S3 Event Notifications

Amazon SNS Topic Subscriptions

Auto Scaling Lifecycle Hooks

AWS IoT Rule Actions

AWS Lambda Dead-Letter Queues

How do I write the policy statement of an encrypted SQS for S3 events?

Tags:

Permissions

Amazon S3

Amazon Web Services

Amazon Sqs

Aws Kms

Related

Recent Posts