I tried this SQS queue policy:
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "s3.amazonaws.com"
},
"Action" : "sqs:SendMessage",
"Resource" : {sqs_queue_arn},
"Condition" : {
"StringEquals" : {
"aws:PrincipalOrgID" : {our_org_id}
},
"ArnLike" : {
"aws:SourceArn" : "arn:aws:s3:::*"
}
}
}
When testing it, it DOES let you apply the policy to the queue without error, however it doesn't actually let S3 buckets send to it.
Currently I'm having to just add each account id individually which just doesn't scale for us.
Is there maybe an alternative way of doing this besides keeping track of all account ids manually?
Ok found a way to do it:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": {sqs_queue_arn},
"Condition": {
"StringEquals": {
"aws:ResourceOrgID": {our_org_id}
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::*"
}
}
}
]
}
So like @luk2302 said in the comment, aws is the principal sending this and they don't have an org id. So we just look at the resource (s3 object) owner org id instead. This works.