Suppose you have AWS SNS in Account A and you want to publish a message to AWS SQS in Account B. Here's how you can do it.
Account A :
- Create a new standard SNS topic and add the following policy to allow an SQS from another account to subscribe
{
"Effect":"Allow",
"Principal":{
"AWS":"<ID_OF_ACCOUNT_B>"
},
"Action":"sns:Subscribe",
"Resource":"arn:aws:sns:<REGION>:<ID_OF_ACCOUNT_A>:<TOPIC_NAME>"
}
Account B :
- Create a new IAM user with permission to read message to SQS. Also create access key for IAM user. access key will be used by consumer for reading message from SQS.
- Create a new KMS and allow IAM user to encrypt and decrypt message by choosing IAM user from 1.
- Add the following policy to KMS from 2. to allow SNS from account A to be able to send encrypt message to SQS
{
"Sid": "Allow use of the key from another account",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com",
"AWS": "arn:aws:iam::{ACCOUNT_OF_SNS}:root"
},
"Action": "kms:*",
"Resource": "*"
}
- Create a new SQS with SSE KMS
References :
Top comments (0)