How to organize access to SQS queue from SNS?

V

Vadim2020-05-28 23:21:14

Amazon Web Services

Vadim, 2020-05-28 23:21:14

Hello everyone,

question 1. As you know, it is possible to allow SNS to send messages to SQS if we attach the following IAM permission to the SQS queue:

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:eu-west-1:123456789012:communications-email-queue/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "Sid456724056456",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:eu-west-1:123456789012:communications-email-queue",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:sns:eu-west-1:123456789012:ias-usermanagement"
        }
      }
    }
  ]
}

Is it possible to do the same through some other Policy, for example, by attaching it to SNS (topic) and giving it permission to write to SQS?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

I

Ivan Shumov, 2020-05-28
@inoise

it doesn't work that way) policy and roles are not attached to the resource. policy has Principal - to whom it is possible, Action - what is possible (or not) and Resource - with which resource the action is performed. Well, the condition is attached - where the traffic comes from.
In fact, when requested, the policies for the starting and ending points of the traffic are simply validated