Basically, to publish a message to the Amazon Simple Queue Service (Amazon SQS), the lifecycle hook’s AWS Identity and Access Management (IAM) role must:

• Be different from the IAM role assigned to the instance.
• Be listed as a key user on the AWS Key Management Service (AWS KMS) key policy.
• Have a trust policy attached for the Auto Scaling service.
• Include specific manage policy actions.
• Be associated with the Amazon EC2 Auto Scaling group.
• Have access to the encryption key used by Amazon SQS.

Today, let us see the steps followed by our Support Techs to resolve it.

1.Firstly, confirm that you’re using an IAM role for the lifecycle hook that’s different from the IAM role you’ve assigned to the instance.

Note: You can create an IAM role, or use the following AWS managed role that has all of the necessary permissions:

arn:aws:iam::aws:policy/service-role/AutoScalingNotificationAccessRole

2.Then, verify that the role is included as a key user on the KMS key policy.

To do this:

• Firstly, open the AWS KMS console.
• Then, select the KMS key.
• Next, verify that the role is listed under Key users on the Key policy tab. If the role isn’t listed, search for it, and then select Add.

3.Next, make sure that the IAM role for the lifecycle hook has a trust policy attached for the Amazon EC2 Auto Scaling service.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "autoscaling.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

4.Then, verify that the managed policy for the lifecycle hook’s IAM role includes the following actions:
For SQS messages

sqs:SendMessage
sqs:GetQueueUrl

For SNS notifications

sns:Publish

5.Then, in the AWS Command Line Interface (AWS CLI), run the aws autoscaling put-lifecycle-hook command.

6.Finally, run the command below to confirm that the lifecycle hook is associated with the Auto Scaling group.

aws autoscaling describe-lifecycle-hooks --auto-scaling-group-name "ExampleSQSQueueName"