Question 19915 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

AWS SQS – Access Policy – to restrict resources sending messages to SQS based on aws:SourceArn is not working

I want to allow only ONE lambda (arn:aws:lambda:ap-southeast-2:444455556666:function:source-lambda) function to send messages to my SQS queue (arn:aws:sqs:ap-southeast-2:444455556666:target-sqs). So I attached the below Access Policy to my SQS queue. However, this policy is not allowing the specified Lambda to send messages to the SQS queue, and returning AccessDenied exception.

{
  "Version": "2012-10-17",
  "Id": "Policy1666948352567",
  "Statement": [
    {
      "Sid": "Stmt1666948347116",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:ap-southeast-2:444455556666:target-sqs",
      "Condition": {
        "ArnNotEquals": {
          "aws:SourceArn": "arn:aws:lambda:ap-southeast-2:444455556666:function:source-lambda"
        }
      }
    }
  ]
}
Tags:

2

Answers


  1. 0

    Problem :

    Policy rules follow, this Priority

    Explicit Deny ( Highest ) --> Explicit Allow --> Implicit Deny ( Default )

    Here in your policy, you have defined explicit denied for all other resources which are not arn:aws:lambda:ap-southeast-2:444455556666:function:source-lambda

    But you haven’t explicitly allowed the lambda to send a message to that SQS, so Implicit deny applied and hence you are receiving Access Denied

    Solution :

    Why don’t you use "Effect": "Allow", and "ArnEquals":, this will satisfy your use case by only allowing that specific lambda to send a message.

    {
  "Version": "2012-10-17",
  "Id": "Policy1666948352567",
  "Statement": [
    {
      "Sid": "Stmt1666948347116",
      "Effect": "Allow", // <---- HERE
      "Principal": "*",
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:ap-southeast-2:444455556666:target-sqs",
      "Condition": {
        "ArnEquals": { // <--- HERE
          "aws:SourceArn": "arn:aws:lambda:ap-southeast-2:444455556666:function:source-lambda"
        }
      }
    }
  ]
}
    Login or Signup to reply.
  2. 0

    I was able to implement similar restrictions using the following SQS Access policy:

    {
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT-NUMBER>:root"
      },
      "Action": "SQS:SendMessage",
      "Resource": "<QUEUE-ARN>",
      "Condition": {
        "StringNotLike": {
          "aws:userid": "*<LAMBDA-FUNCTION-NAME>*"
        }
      }
    }
  ]
}

    It may not be the best way to implement this restriction, but at least it works.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search