Enable KMS encryption on notifications from S3 to SQS

[markreesmoj]

Service name

HMPPS Workload

Service environment

Currently present in development environment

• [x] Dev / Development
• [ ] Staging
• [ ] Prod / Production
• [ ] Other

Impact on the service

Provide real impact description on the service mentioned. It can include any potential blockers for the product team.

Not essential but we would like to encrypt the notifications S3 sends to SQS when a file is uploaded. The impact is that a security review might raise the lack of encryption as a concern

https://github.com/ministryofjustice/cloud-platform-environments/pull/5354/files

Problem description

When we enable kms encryption as per

https://github.com/ministryofjustice/cloud-platform-environments/pull/5354/files

notifications are not sent to the queue when an item is changed in the bucket

Steps to reproduce

• upload any item to cloud-platform-64a117d6a857781833e38bdf66ed0fbb Expected
• a message appears on https://sqs.eu-west-2.amazonaws.com/754256621582/manage-a-sentence-development-hmpps_workload_s3_extract_event_queue Actual
• nothing happens

Perhaps this is the problem?

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#compatibility-with-aws-services

Contact person

Slack

manage_a_workforce_dev

@carloveo @markrees

[poornima-krishnasamy]

This is fixed in release 4.4. Please use encrypt_sqs_kms = true to enable KMS encryption.