While migrating an existing service to a new AWS account, I ran into a strange error when trying to set up an SNS topic for SES feedback notifications (Bounce, Complaint, Delivery):
An invalid or out-of-range value was supplied for the input parameter.
I had created the SNS topic as a "Standard" type, in the same region as SES, and configured the access policy to allow ses.amazonaws.com with sns:Publish. Everything seemed correct, so I couldn’t figure out what was wrong.
Root Cause
The problem turned out to be insufficient KMS key policy permissions on the encryption key used for the SNS topic.
When publishing to an encrypted SNS topic, the publishing service (in this case, SES) needs permissions for both kms:GenerateDataKey and kms:Decrypt. The actual encryption/decryption is handled by SNS, but SES must be able to trigger the KMS API calls required for that process.
However, in this case I had used the AWS managed key alias/aws/sns for SNS topic encryption—which cannot be edited to adjust the key policy.
Solution
The workaround was to create a customer managed key (CMK) named sns-ses-dev-1, attach the following key policy, and configure it for the SNS topic:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESToUseKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
After applying this, I was finally able to configure the SNS topic for SES feedback notifications successfully.
Final Thoughts
Since CMKs incur additional cost, it might not be worth enabling SNS topic encryption in development environments at all. Using encryption only in production could be a more balanced approach.
Top comments (0)