Table of contents

Storage Stack Dead-letter Queue

Topics on this page
Prerequisite

If you would like to monitor and track the failure of Lambda and SNS in storage stack, specify the parameters as follows when you create or update stacks.

  • BucketListenerDLQARN: The ARN of the dead-letter destination for the BucketListener function.
  • PostScanActionTagDLQARN: The ARN of the dead-letter destination for the Post-Scan Actions function.
  • ScanResultTopicDLQARN: The ARN of the dead-letter queue for the scan result topic SNS.
  • KMSKeyARNForDLQSSE: The ARN of the KMS master key for the dead-letter queue. Leave it blank if your SQS doesn't enable server-side encryption.

Only SQS is supported as a dead-letter destination/queue. And SQS must deployed using the same AWS account and reside in the same AWS region as your storage stack.

Prerequisite

To deploy a storage stack with dead-letter queue

  • Update SQS policy

    • Enter the following AWS CLI command:

      aws sqs get-queue-attributes --queue-url SQS-URL --attribute-names Policy --query Attributes > sqs-policy.json

      where...

      SQS-URL is replaced with the URL of the SQS that you are using as the dead-letter queue.

    • Edit sqs-policy.json and insert a new Statement object in it.

      {
    "Sid": "Grant permission",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "sqs:SendMessage",
    "Resource": "*"
}

    • Enter the following AWS CLI command:

      aws sqs set-queue-attributes --queue-url SQS-URL --attributes file://sqs-policy.json

      SQS-URL is replaced with the URL of the SQS that you are using as the dead-letter queue.

    Or execute the following shell script:

    new_policy=$(aws sqs get-queue-attributes --queue-url SQS-URL --attribute-names Policy --query Attributes \
    | jq '.Policy' -r \
    | jq '.Statement[.Statement| length] |= . + {"Sid":"Grant permission","Effect":"Allow","Principal":{"AWS":"*"},"Action":"SQS:SendMessage","Resource":"*"}' -c)
echo '{}' | jq --arg variable "$new_policy" '.Policy = $variable' > sqs-policy.json
aws sqs set-queue-attributes --queue-url SQS-URL --attributes file://sqs-policy.json

    SQS-URL is replaced with the URL of the SQS that you are using as the dead-letter queue.

  • (Optional) Update KMS key policy if enabling DLQ encryption

    • Enter the following AWS CLI command:

      aws kms get-key-policy --key-id KMS-MASTER-KEY-ARN-FOR-DLQ --policy-name default --output text > key-policy.json

      where...

      KMS-MASTER-KEY-ARN-FOR-DLQ is replaced with the ARN of the KMS key that you used for DLQ encryption.

    • Edit key-policy.json and insert a new Statement object in it.

      {
    "Sid": "Grant sns permission",
    "Effect": "Allow",
    "Principal": {
        "Service": "sns.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*"
}

      where...

      BucketListenerRoleARN is replaced with the ARN of the bucketListener in your storage stack.

    • Enter the following AWS CLI command:

      aws kms put-key-policy --key-id KMS-MASTER-KEY-ARN-FOR-DLQ --policy-name default --policy file://key-policy.json

      where...

      KMS-MASTER-KEY-ARN-FOR-DLQ is replaced with the ARN of the KMS key that you used for DLQ encryption