AWS AWSSimpleQueueService high security documentation change
Summary
Updated cross-account permissions guidance to require combining IAM and resource-based policies, with explicit steps for queue access policies and role configuration
Security assessment
The changes clarify security-critical requirements for cross-account access (explicitly requiring resource-based policies and proper role configuration). The added warning 'IAM identity-based policies alone aren't sufficient for cross-account access to SQS queues' directly addresses a potential security misconfiguration that could lead to unauthorized access.
Diff
diff --git a/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.md b/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.md index 162ffa0fd..81436a09f 100644 --- a//AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.md +++ b//AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.md @@ -105 +105 @@ To grant access for these actions, the user must belong to the same AWS account - * **Attach a permission policy to a role (grant cross-account permissions)** – To grant cross-account permissions, attach an identity-based permissions policy to an IAM role. For example, the AWS account A administrator can create a role to grant cross-account permissions to AWS account B (or an AWS service) as follows: + * **Attach a permission policy to a role (grant cross-account permissions)** – To grant cross-account permissions to an SQS queue, you must combine both IAM and resource-based policies: @@ -107 +107 @@ To grant access for these actions, the user must belong to the same AWS account - * The account A administrator creates an IAM role and attaches a permissions policy — that grants permissions on resources in account A — to the role. + 1. In **Account A** (which owns the queue): @@ -109 +109 @@ To grant access for these actions, the user must belong to the same AWS account - * The account A administrator attaches a trust policy to the role that identifies account B as the principal who can assume the role. + * Attach a **resource-based policy** to the SQS queue. This policy must explicitly grant the necessary permissions (for example, [`SendMessage`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html), [`ReceiveMessage`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html)) to the principal in **Account B** (such as an IAM role). @@ -111 +111,3 @@ To grant access for these actions, the user must belong to the same AWS account - * The account B administrator delegates the permission to assume the role to any users in account B. This allows users in account B to create or access queues in account A. + 2. In **Account A** , create an IAM role: + + * A **trust policy** that allows **Account B** or an AWS service to assume the role. @@ -115 +117,6 @@ To grant access for these actions, the user must belong to the same AWS account -If you want to grant the permission to assume the role to an AWS service, the principal in the trust policy can also be an AWS service principal. +If you want an AWS service (such as Lambda or EventBridge) to assume the role, specify the service principal (for example, lambda.amazonaws.com) in the trust policy. + + * An **identity-based policy** that grants the assumed role permissions to interact with the queue. + + 3. In **Account B** , grant permission to assume the role in **Account A**. + @@ -118,0 +126 @@ If you want to grant the permission to assume the role to an AWS service, the pr +You must configure the queue’s access policy to allow the cross-account principal. IAM identity-based policies alone aren't sufficient for cross-account access to SQS queues.