Search code examples
amazon-web-servicesamazon-sqs

Allow any AWS resource from an account to publish to an SQS queue

According to the AWS documentation, this policy allows any S3 bucket to send a notification to an SNS topic:

{
    "Version":"2012-10-17",
    "Id":"MyAWSPolicy",
    "Statement" :[
        {
            "Sid":"My-statement-id",
            "Effect":"Allow",
            "Principal" :"*",
            "Action":"sns:Publish",
            "Resource":"arn:aws:sns:us-east-1:111122223333:My-Topic",
            "Condition":{
               "StringEquals":{
                  "AWS:SourceAccount":"444455556666"
                }
            }
        }
    ]
}

I want to do the same for an SQS queue instead of an SNS topic. This Policy doesn't work:

{
    "Version":"2012-10-17",
    "Id":"MyAWSPolicy",
    "Statement" :[
        {
            "Sid":"My-statement-id",
            "Effect":"Allow",
            "Principal" :"*",
            "Action":"sqs:SendMessage",
            "Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
            "Condition":{
               "ArnLike":{
                  "aws:SourceArn":"arn:aws:s3:*:111122223333:*"
                }
            }
        }
    ]
}

This (allowing every AWS account in the world) works:

{
    "Version":"2012-10-17",
    "Id":"MyAWSPolicy",
    "Statement" :[
        {
            "Sid":"My-statement-id",
            "Effect":"Allow",
            "Principal" :"*",
            "Action":"sqs:SendMessage",
            "Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
            "Condition":{
               "ArnLike":{
                  "aws:SourceArn":"arn:aws:s3:*:*:*"
                }
            }
        }
    ]
}

But when I try to restrict it with the Principal, it doesn't work again:

{
    "Version":"2012-10-17",
    "Id":"MyAWSPolicy",
    "Statement" :[
        {
            "Sid":"My-statement-id",
            "Effect":"Allow",
            "Principal" :"111122223333",
            "Action":"sqs:SendMessage",
            "Resource":"arn:aws:sns:us-east-1:111122223333:My-Queue",
            "Condition":{
               "ArnLike":{
                  "aws:SourceArn":"arn:aws:s3:*:*:*"
                }
            }
        }
    ]
}

By "doesn't work" I mean that the Policy is accepted as valid, but when I try to configure an S3 bucket to send a notification (NotificationConfiguration) I get the error:

Unable to validate the following destination configurations : Permissions on the destination queue do not allow S3 to publish notifications from this bucket
Solution

  • If you want to restricts access to specific AWS account, you need to add nested block AWS under Principal:

    "Principal": {
  "AWS": "111122223333"
},

    or with multiple accounts:

    "Principal" : { 
  "AWS": [ 
    "123456789012",
    "555555555555" 
  ]
}

    See AWS JSON policy elements: Principal for details.