Accessing AWS SQS running under different AWS root account

Question

Background: My application reads from a AWS SQS queue. I have all my AWS Resources under one AWS account [not IAM user accounts but main AWS root account].

Question: I have to access the SQS queue which is created under an AWS account that is different from account for all my AWS resources. My question is will this work. I only have one account to experiment with and cannot test the scenario my self.

Any help is appreciated.

Cheers.

Answer 1

Yes its possible: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies-access-policy-examples.html

You just specify correct policy!

For example:

{   
   "Version": "2012-10-17",
   "Id": "UseCase2",
   "Statement" : [{
      "Sid": "1", 
      "Effect": "Allow",           
      "Principal": {
         "AWS": [
            "111122223333",
            "444455556666"
         ]
      },
      "Action": [
         "sqs:SendMessage",
         "sqs:ReceiveMessage"
      ], 
      "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
      "Condition": {
         "DateLessThan": {
            "AWS:CurrentTime": "2009-06-30T12:00Z"
         }
      }   
   }]
}

Enjoy!

Answer 2

Yes, permission can be granted to allow a different AWS account to push messages to your SQS queues.

See: Amazon SQS Policy Examples

It is simple to create another AWS account if you wish to test this process. You can even link your accounts via Consolidated Billing. There is no charge for an additional account.