skip to Main Content

I have sqs queue, which has no policy defined. Queue is not owned by me, I have no idea how it is used, and I do not want to break it. I need to add permission for sending messages from different account, i.e.:

{
   "Version": "2012-10-17",
   "Id": "Queue1_Policy_UUID",
   "Statement": [{
      "Sid":"Queue1_Send_Receive",
      "Effect": "Allow",
      "Principal": { "AWS": [ "111122223333" ] },
      "Action": [ "sqs:SendMessage" ],
      "Resource": "arn:aws:sqs:us-east-1:my-queue"
   }]
}

Adding such policy to queue will override default policy which grants full access to account which created the queue. I cannot find definition/equivalent of this default policy.

How can I add my statement to the queue’s resource policy without breaking access in the account owning the queue?

2

Answers


  1. The policy you have shown will grant permission to send a message to the queue.

    The safest option is to specifically add the ARN of the resource that wants to send messages to the queue. For example, if some code is using an IAM Role, you could add the permission like this:

      "Principal": { 
        "AWS": [
          "111122223333",
          "arn:aws:iam::123456789012:role/role-from-other-account"
        ]
      },
    

    Or, if you wish to trust an entire AWS Account, just add that account number:

      "Principal": { 
        "AWS": [
          "111122223333",
          "123456789012"
        ]
      },
    

    For this to work, there must also be a policy in the other account that grants the resource permission to use the SQS queue. For example, if an IAM Role in the ‘other’ account (Other-Role) wants to the SQS role in ‘this’ account (This-Account), then it would need permissions such as:

    {
       "Version": "2012-10-17",
       "Statement": [
         {
          "Effect": "Allow",
          "Action": "sqs:SendMessage",
          "Resource": "arn:aws:sqs:us-east-2:111122223333:queue1"
         }
       ]
    }
    

    This is because cross-account permissions must be aded to the IAM entity in the sending account and the receiving resource. This stops other people being able to access your resources unless you specifically grant permission.

    Login or Signup to reply.
  2. To obtain a ‘default’ policy, simply create a new SQS Queue. It will display a policy like this:

    {
      "Version": "2012-10-17",
      "Id": "__default_policy_ID",
      "Statement": [
        {
          "Sid": "__owner_statement",
          "Effect": "Allow",
          "Principal": {
            "AWS": "111111111111"
          },
          "Action": [
            "SQS:*"
          ],
          "Resource": "arn:aws:sqs:ap-southeast-2:111111111111:queue-name"
        }
      ]
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search