1
votes

I've a encrypted SQS queue and SNS topic by custom managed KMS key. Currently I'm using a similar kind of SQS policy stated in the below link where it is working fine SQS Policy

But if i use the below SQS policy it's not working. I don't want to have Principal as '*' due to security reasons. Can someone explain me why is this happening

    {
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"MySQSPolicy001",
      "Effect":"Allow",
      "Principal":{
    "AWS": "arn:aws:iam::123456789012:root"
  },
      "Action":"sqs:SendMessage",
      "Resource":"arn:aws:sqs:us-east-1:123456789012:MyQueue"
    }
  ]
}
1
This policy will not work for SNS. SNS its not principal AWS, but Service. The policy from your link is correct, so why not use it?Marcin
But I've allowed all resources part of my account right?Prashanna
SNS is not part of your account. Its AWS Service.Marcin
No problem. Glad it worked out:-)Marcin

1 Answers

1
votes

So if you've a condition with SNS arn in your queue policy when more than one topic needs to publish to same queue you might need to add the ARN again & again.

So the workaround will be the below policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Queue1_SendMessage",
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com",
        "AWS": "arn:aws:iam::1234567890:root"
      },
      "Action": [
        "sqs:SendMessage",
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage"
      ],
      "Resource": "arn:aws:sqs:eu-central-1:1234567890:test-queue",
  "Condition": {
    "StringEquals": {
      "aws:SourceAccount": "1234567890"
    }
  }
    }
  ]
}