AWS Security ChangesHomeSearch

AWS AWSSimpleQueueService high security documentation change

Service: AWSSimpleQueueService · 2025-04-23 · Security-related high

File: AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.md

Summary

Updated cross-account permissions guidance to require combining IAM and resource-based policies, with explicit steps for queue access policies and role configuration

Security assessment

The changes clarify security-critical requirements for cross-account access (explicitly requiring resource-based policies and proper role configuration). The added warning 'IAM identity-based policies alone aren't sufficient for cross-account access to SQS queues' directly addresses a potential security misconfiguration that could lead to unauthorized access.

Diff

diff --git a/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.md b/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.md
index 162ffa0fd..81436a09f 100644
--- a//AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.md
+++ b//AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.md
@@ -105 +105 @@ To grant access for these actions, the user must belong to the same AWS account
-  * **Attach a permission policy to a role (grant cross-account permissions)** – To grant cross-account permissions, attach an identity-based permissions policy to an IAM role. For example, the AWS account A administrator can create a role to grant cross-account permissions to AWS account B (or an AWS service) as follows:
+  * **Attach a permission policy to a role (grant cross-account permissions)** – To grant cross-account permissions to an SQS queue, you must combine both IAM and resource-based policies:
@@ -107 +107 @@ To grant access for these actions, the user must belong to the same AWS account
-    * The account A administrator creates an IAM role and attaches a permissions policy — that grants permissions on resources in account A — to the role.
+    1. In **Account A** (which owns the queue):
@@ -109 +109 @@ To grant access for these actions, the user must belong to the same AWS account
-    * The account A administrator attaches a trust policy to the role that identifies account B as the principal who can assume the role.
+       * Attach a **resource-based policy** to the SQS queue. This policy must explicitly grant the necessary permissions (for example, [`SendMessage`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html), [`ReceiveMessage`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html)) to the principal in **Account B** (such as an IAM role).
@@ -111 +111,3 @@ To grant access for these actions, the user must belong to the same AWS account
-    * The account B administrator delegates the permission to assume the role to any users in account B. This allows users in account B to create or access queues in account A.
+    2. In **Account A** , create an IAM role:
+
+       * A **trust policy** that allows **Account B** or an AWS service to assume the role.
@@ -115 +117,6 @@ To grant access for these actions, the user must belong to the same AWS account
-If you want to grant the permission to assume the role to an AWS service, the principal in the trust policy can also be an AWS service principal.
+If you want an AWS service (such as Lambda or EventBridge) to assume the role, specify the service principal (for example, lambda.amazonaws.com) in the trust policy.
+
+       * An **identity-based policy** that grants the assumed role permissions to interact with the queue.
+
+    3. In **Account B** , grant permission to assume the role in **Account A**.
+
@@ -118,0 +126 @@ If you want to grant the permission to assume the role to an AWS service, the pr
+You must configure the queue’s access policy to allow the cross-account principal. IAM identity-based policies alone aren't sufficient for cross-account access to SQS queues.