ERROR SNS topic ARN not found in region 'us-east-1' , use -h for help.

[cirrusnine]

When the option '--aws-managed-encryption' is invoked, the following permissions were required in addition to the standard documented ones or else the error "ERROR SNS topic ARN not found in region 'us-east-1' , use -h for help." was thrown:

  {
        "Sid": "kmskeypermissions",
        "Effect": "Allow",
        "Action": [
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:ListKeys"
        ],
        "Resource": [
            "arn:aws:kms:region:acct:key/keyid"
        ]
    }

Also I added the following stanzas to the S3 bucket policy:

  {
        "Sid": "DenyIncorrectEncryptionHeader",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::bucket/*",
        "Condition": {
            "StringNotEquals": {
                "s3:x-amz-server-side-encryption": "AES256"
            }
        }
    },
    {
        "Sid": "DenyUnEncryptedObjectUploads",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::bucket/*",
        "Condition": {
            "Null": {
                "s3:x-amz-server-side-encryption": "true"
            }
        }
    }

I used the same key for self-created key for S3, SNS, and SQS, though I don't think that's strictly required. I used KMS materials, not external, although that should not make any real difference either.

[jazzl0ver]

Thanks for sharing! Added a link to this issue in the wiki