AWS SQS Queue Configuration for Access from EC2 Instances in Another AWS Account

Configure AWS SQS Queue for Access by EC2 Instances in Another AWS Account

Question

Your AWS account (111111111111) owns an SQS queue in us-east-2 Region which is used to store messages, and downstream applications get messages from the queue for processing.

At the moment, EC2 instances in another AWS account (222222222222) need to send messages to the queue.

You want to give access to these instances on the condition that the IP range is 203.0.113.0/24

How would you configure the SQS queue?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - D.

In order to control the SQS queue access, users can update the SQS access policy.

References and examples can be found in https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html#sqs-creating-custom-policies-key-concepts and.

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies-access-policy-examples.html.

Option A is incorrect: Users can click the Add a Permission button to quickly update the policy.

However, the account 222222222222 should be configured as the Principal instead of Resource.

Option B is incorrect: Because the policy should not allow all SQS actions, and the NotIpAddress condition is incorrect.

Option C is incorrect: Because the policy only contains explicit deny.

It should also include a statement to explicit allow.

Option D is CORRECT: Because this policy allows the AWS account 222222222222 to send messages to the queue on the condition that the IP range is 203.0.113.0/24.

The correct answer is D: Modify the SQS queue policy as shown below:

json
{ "Version": "2012-10-17", "Id": "QueuePolicy", "Statement" : [{ "Sid": "1", "Effect": "Allow", "Principal": { "AWS": [ "222222222222" ] }, "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage" ], "Resource": "arn:aws:sqs:us-east-2:111111111111:ExampleQueue", "Condition": { "IpAddress": { "AWS:SourceIp": "203.0.113.0/24" } } }] }

Explanation:

The scenario describes a requirement where EC2 instances in a different AWS account need to send messages to an SQS queue owned by another AWS account. The requirement also states that access should be granted only to instances in a specific IP range.

To achieve this requirement, we need to modify the SQS access policy. The access policy is a JSON document that specifies who can access the SQS queue and what actions they can perform.

The correct answer is D because it allows EC2 instances in the specified IP range to perform SendMessage and ReceiveMessage actions on the SQS queue.

The policy contains the following elements:

  • Version: Specifies the access policy version. The current version is "2012-10-17".
  • Id: An optional identifier for the policy statement.
  • Statement: An array of policy statements, each containing an "Effect", "Principal", "Action", "Resource", and "Condition".

The Statement element in the policy contains the following elements:

  • Sid: An optional identifier for the statement.
  • Effect: Specifies whether the statement allows or denies access. In this case, the effect is "Allow".
  • Principal: Specifies the AWS account or IAM user or role that is allowed or denied access. In this case, the principal is the AWS account 222222222222.
  • Action: Specifies the action or actions that are allowed or denied. In this case, the action is "sqs:SendMessage" and "sqs:ReceiveMessage".
  • Resource: Specifies the ARN of the resource that the statement applies to. In this case, the resource is the SQS queue arn:aws:sqs:us-east-2:111111111111:ExampleQueue.
  • Condition: Specifies additional conditions that must be met for the statement to apply. In this case, the condition is "IpAddress" and the allowed source IP range is "203.0.113.0/24".

Therefore, the correct answer is D because it provides the required access to the SQS queue while also enforcing the IP address restriction. Answer A is incorrect because it does not specify the principal and the action is allowed instead of being restricted. Answer B is incorrect because it allows all SQS actions instead of restricting them and uses the "NotIpAddress" condition instead of "SourceIp". Answer C is incorrect because it denies all actions and does not include the correct "SourceIp" condition.