Message isn't sent to SQS when I specify Principal in access policy

Question

I have an infrastructure where SNS topic sends messages to SQS (using SNS subscription of course). When I setup the following access policy it works.

 {
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "SendMessagePolicy",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:312226948869:mr-sandbox-loyalty",
      "Condition": {
        "ArnEquals": {
          "AWS:SourceArn": "arn:aws:sns:us-east-1:312226948869:mr-sandbox-transaction-created"
        }
      }
    }
  ]
}

BUT when instead of * I setting up arn:aws:iam::312226948869:root messages aren't sent to queue. The account number which I used is 312226948869. Any ideas?

Thanks.

UPDATE

In web console, when I'm trying to set Principal: 312226949769 it's overrided as Principal: arn:aws:iam::312226949769:root

Did you manage to fix this? I have the same problem – Johan Kvint Jul 06 '20 at 08:58 — Johan Kvint, Jul 06 '20 at 08:58
@JohanKvint please check the solution below – AlexeyBogdan Jul 06 '20 at 11:23 — AlexeyBogdan, Jul 06 '20 at 11:23

score 0 · Answer 1 · answered Jul 06 '20 at 11:23

I managed to fix the issue. I added IAM ARN to ArnEquals condition.

{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "SendersPolicy",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:%account_id%:mr-prod-loyalty-program",
      "Condition": {
        "ArnEquals": {
          "AWS:SourceArn": [
            "arn:aws:iam::%account_id%:role/boss-mr-prod-sqs-dashboard",
            "arn:aws:iam::%account_id%:role/IDT-PSF-Instance-Profile"
          ]
        }
      }
    }      
  ]
}

score 0 · Answer 2 · answered Jul 07 '20 at 06:54

My solution ended up not using my specific account as principal but instead service of SNS. This should be fine since I have the condition of specific sns topic arn

Resources:
  Policy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
              - sns.amazonaws.com
          Action:
          - sqs:SendMessage
          Resource: !GetAtt MySQS.Arn
          Condition:
            ArnEquals:
              aws:SourceArn: !Ref MyTopic
      Queues:
        - !Ref MySQS

Message isn't sent to SQS when I specify Principal in access policy

2 Answers2