Table of contents
Topics on this page

Storage Stack Dead-letter Queue

If you would like to monitor and track the failure of Lambda and SNS in storage stack, specify the parameters as follows when you create or update stacks.

  • BucketListenerDLQARN: The ARN of the dead-letter destination for the BucketListener function.
  • PostScanActionTagDLQARN: The ARN of the dead-letter destination for the Post-Scan Actions function.
  • ScanResultTopicDLQARN: The ARN of the dead-letter queue for the scan result topic SNS.
  • KMSKeyARNForDLQSSE: The ARN of the KMS master key for the dead-letter queue. Leave it blank if your SQS doesn't enable server-side encryption.

Only SQS is supported as a dead-letter destination/queue. And SQS must deployed using the same AWS account and reside in the same AWS region as your storage stack.

Prerequisite

To deploy a storage stack with dead-letter queue

  • Update SQS policy

    • Enter the following AWS CLI command:

      aws sqs get-queue-attributes --queue-url SQS-URL --attribute-names Policy --query Attributes > sqs-policy.json

      where...

      SQS-URL is replaced with the URL of the SQS that you are using as the dead-letter queue.

    • Edit sqs-policy.json and insert a new Statement object in it.

      {
          "Sid": "Grant permission",
          "Effect": "Allow",
          "Principal": "*",
          "Action": "sqs:SendMessage",
          "Resource": "*"
      }
      
    • Enter the following AWS CLI command:

      aws sqs set-queue-attributes --queue-url SQS-URL --attributes file://sqs-policy.json

      SQS-URL is replaced with the URL of the SQS that you are using as the dead-letter queue.

    Or execute the following shell script:

    new_policy=$(aws sqs get-queue-attributes --queue-url SQS-URL --attribute-names Policy --query Attributes \
        | jq '.Policy' -r \
        | jq '.Statement[.Statement| length] |= . + {"Sid":"Grant permission","Effect":"Allow","Principal":{"AWS":"*"},"Action":"SQS:SendMessage","Resource":"*"}' -c)
    echo '{}' | jq --arg variable "$new_policy" '.Policy = $variable' > sqs-policy.json
    aws sqs set-queue-attributes --queue-url SQS-URL --attributes file://sqs-policy.json
    

    SQS-URL is replaced with the URL of the SQS that you are using as the dead-letter queue.

  • (Optional) Update KMS key policy if enabling DLQ encryption

    • Enter the following AWS CLI command:

      aws kms get-key-policy --key-id KMS-MASTER-KEY-ARN-FOR-DLQ --policy-name default --output text > key-policy.json

      where...

      KMS-MASTER-KEY-ARN-FOR-DLQ is replaced with the ARN of the KMS key that you used for DLQ encryption.

    • Edit key-policy.json and insert a new Statement object in it.

      {
          "Sid": "Grant sns permission",
          "Effect": "Allow",
          "Principal": {
              "Service": "sns.amazonaws.com"
          },
          "Action": [
              "kms:Decrypt",
              "kms:GenerateDataKey"
          ],
          "Resource": "*"
      }
      

      where...

      BucketListenerRoleARN is replaced with the ARN of the bucketListener in your storage stack.

    • Enter the following AWS CLI command:

      aws kms put-key-policy --key-id KMS-MASTER-KEY-ARN-FOR-DLQ --policy-name default --policy file://key-policy.json

      where...

      KMS-MASTER-KEY-ARN-FOR-DLQ is replaced with the ARN of the KMS key that you used for DLQ encryption