ERROR SNS topic ARN not found in region 'us-east-1' , use -h for help. #156
Description
When the option '--aws-managed-encryption' is invoked, the following permissions were required in addition to the standard documented ones or else the error "ERROR SNS topic ARN not found in region 'us-east-1' , use -h for help." was thrown:
{
"Sid": "kmskeypermissions",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:ListKeys"
],
"Resource": [
"arn:aws:kms:region:acct:key/keyid"
]
}
Also I added the following stanzas to the S3 bucket policy:
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
I used the same key for self-created key for S3, SNS, and SQS, though I don't think that's strictly required. I used KMS materials, not external, although that should not make any real difference either.