docs: IAM permission clarification when using with encrypted SQS

pankajagrawal16 · pankajagrawal16 · commit 212c8410719f · 2022-01-31T12:37:00.000+01:00
diff --git a/docs/utilities/batch.md b/docs/utilities/batch.md
@@ -93,7 +93,11 @@ This utility requires additional permissions to work as expected. Lambda functio
 If you are also using [nonRetryableExceptions](#move-non-retryable-messages-to-a-dead-letter-queue) attribute, utility will need additional permission of `sqs:GetQueueAttributes` on source SQS. 
 It also needs `sqs:SendMessage` and `sqs:SendMessageBatch` on configured dead letter queue.  
 
-Refer [example project](https://github.com/aws-samples/aws-lambda-powertools-examples/blob/main/java/SqsBatchProcessing/template.yaml#L67) for policy details example.
+If source or dead letter queue is configured to use encryption at rest using [AWS Key Management Service (KMS)](https://aws.amazon.com/kms/), function will need additional permissions of 
+`kms:GenerateDataKey` and `kms:Decrypt` on the KMS key being used for encryption. Refer [docs](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#compatibility-with-aws-services) for more details.
+
+Refer [example project](https://github.com/aws-samples/aws-lambda-powertools-examples/blob/main/java/SqsBatchProcessing/template.yaml#L105) for policy details example.
+
 
 ## Processing messages from SQS
 
diff --git a/powertools-sqs/src/main/java/software/amazon/lambda/powertools/sqs/internal/BatchContext.java b/powertools-sqs/src/main/java/software/amazon/lambda/powertools/sqs/internal/BatchContext.java
@@ -174,7 +174,7 @@ private boolean moveNonRetryableMessagesToDlqIfConfigured(Map<SQSMessage, Except
 
         return sendMessageBatchResponses.stream()
                 .filter(response -> null != response && response.hasFailed())
-                .peek(sendMessageBatchResponse -> LOG.error("Failed sending message to the DLQ. Entire batch will be re processed. Check if need permissions are configured for the function. Response: {}", sendMessageBatchResponse))
+                .peek(sendMessageBatchResponse -> LOG.error("Failed sending message to the DLQ. Entire batch will be re processed. Check if needed permissions are configured for the function. Response: {}", sendMessageBatchResponse))
                 .count()  == 0;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -174,7 +174,7 @@ private boolean moveNonRetryableMessagesToDlqIfConfigured(Map<SQSMessage, Except`
`174`	`174`
`175`	`175`	`return sendMessageBatchResponses.stream()`
`176`	`176`	`.filter(response -> null != response && response.hasFailed())`
`177`		`- .peek(sendMessageBatchResponse -> LOG.error("Failed sending message to the DLQ. Entire batch will be re processed. Check if need permissions are configured for the function. Response: {}", sendMessageBatchResponse))`
	`177`	`+ .peek(sendMessageBatchResponse -> LOG.error("Failed sending message to the DLQ. Entire batch will be re processed. Check if needed permissions are configured for the function. Response: {}", sendMessageBatchResponse))`
`178`	`178`	`.count() == 0;`
`179`	`179`	`}`
`180`	`180`