CloudFormation Role using QueuePolicy Ref as a ManagedPolicy in IAM Role Resource?

0
votes

I am trying to make an IAM Role via CloudFormation and am getting this error when trying to attach a QueuePolicy resource to an IAM::Role resource. 

ARN stack-personSQSPolicy-3F02ILJ96DB1 is not valid. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: InvalidInput; Request ID: 4410ba76-30ce-4d15-be3c-6d5040f971f0)

Here is my CloudFormation Role and Policy definition:

APIGatewaySQSRole:
  Type: 'AWS::IAM::Role'
  Properties:
    AssumeRolePolicyDocument:
      Statement:
        - Action: 'sts:AssumeRole'
          Effect: Allow
          Principal:
            Service: apigateway.amazonaws.com
          Version: 2012-10-17
    ManagedPolicyArns:
      - !Ref personSQSPolicy
      - 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'

personSQSPolicy:
  Type: 'AWS::SQS::QueuePolicy'
  Properties:
    PolicyDocument:
      Version: 2012-10-17
      Statement:
        Effect: Allow
        Action: 'sqs:SendMessage'
        Resource: !GetAtt personSQS.Arn
    Queues:
      - !Ref personSQS

What's the point of Type: 'AWS::SQS::QueuePolicy' If it doesn't allow the use as an Arn in the Role resource? It seems like I still have to manually create that policy in the IAM Role resource block.

Policies:
  - PolicyDocument:
    Statement:
      - Action: sqs:SendMessage
        Effect: Allow
        Resource: !GetAtt 'personSQS.Arn'
      PolicyName: apig-sqs-send-msg-policy

Is there a way to avoid this?

1
amazon-web-servicesamazon-cloudformationamazon-iamamazon-sqs

1 Answers

1
votes

Since SQS Queues can be publicly accessible, they need a mechanism for security if people are going to access it without a role.

This is why you have a QueuePolicy AWS::SQS::QueuePolicy that you can define for the queue and it can be applied to one or more queues. It will help you define who's allowed to access it, how etc directly from the point of view of the queue.

You then attach your QueuePolicy to your Queue(s) with the Cloudformation attribute Queues (see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html#cfn-sqs-queuepolicy-queues)

If you want to define a role for accessing your queue, yes you'll have to describe kind of the same policy but this time from the point of view of the resource accessing it but I still recommend that you secure the access to your queue with a Queue Policy.

As for your last question, defining the QueuePolicy and attaching it to your queue is the right way to do it.

Watch out, the Queues attribute expect a list of Queue URLs, not ARNs.