DEV Community

Mac
Mac

Posted on

Publish a message from an SNS in one AWS account to an SQS in a different AWS account

Suppose you have AWS SNS in Account A and you want to publish a message to AWS SQS in Account B. Here's how you can do it.

Account A :

  • Create a new standard SNS topic and add the following policy to allow an SQS from another account to subscribe
{
   "Effect":"Allow",
   "Principal":{
      "AWS":"<ID_OF_ACCOUNT_B>"
   },
   "Action":"sns:Subscribe",
   "Resource":"arn:aws:sns:<REGION>:<ID_OF_ACCOUNT_A>:<TOPIC_NAME>"
}
Enter fullscreen mode Exit fullscreen mode

Account B :

  1. Create a new IAM user with permission to read message to SQS. Also create access key for IAM user. access key will be used by consumer for reading message from SQS.
  2. Create a new KMS and allow IAM user to encrypt and decrypt message by choosing IAM user from 1. Image description
  3. Add the following policy to KMS from 2. to allow SNS from account A to be able to send encrypt message to SQS
        {
            "Sid": "Allow use of the key from another account",
            "Effect": "Allow",
            "Principal": {
                "Service": "sns.amazonaws.com",
                "AWS": "arn:aws:iam::{ACCOUNT_OF_SNS}:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
Enter fullscreen mode Exit fullscreen mode
  1. Create a new SQS with SSE KMS

References :

Top comments (0)