0

I have a NodeJS application that publishes message to AWS SNS topic string and a AWS SQS subscription for the same. On the SQS console, I can see the published message. However, I am not clear with the access policy of the SQS queue.

This answer mentions the use of "Principal": "*" - but, that is very broad. One could probably use "Principal" : {"AWS": "*"}; but, that isn't narrow either.

{
  "Version": "2012-10-17",
  "Id": "Policy1607949016538",
  "Statement": [
    {
      "Sid": "Stmt1607949012567",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:SendMessage"
      ],
      "Resource": "arn:aws:sqs:ap-south-1:463113000000:orders"
    }
  ]
}

Questions

  1. While delivering a message to SQS queue, as a result of subscription, which user is in effect? Same as the one who published to the topic?
  2. I could get the messages to flow into the queue only when I used "Principal" : {"AWS": "*"}. So, how should I define a restrictive policy such that messages are written to queues only as a result of subscription?
  3. What is the equivalent in the AWS SQS CLI to create a queue with "Principal" : {"AWS": "*"} permissions?
cogitoergosum
  • 2,309
  • 4
  • 38
  • 62

1 Answers1

0
  1. The only user that matters is the one that qualifies for the policy as defined for subscription and SQS access policy.
  2. The Condition in policy document can make the overall policy restrictive. See example below.
  3. Adding SQS Permissions with conditions using AWS CLI Command

Example policy document restricting access to account ID.

{
  "Version": "2012-10-17",
  "Id": "Policy1607960702002",
  "Statement": [
    {
      "Sid": "Stmt1607960701004",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:SendMessage"
      ],
      "Resource": "arn:aws:sqs:ap-south-1:463113000000:orders",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "463113000000"
        }
      }
    }
  ]
}
cogitoergosum
  • 2,309
  • 4
  • 38
  • 62