What permissions are needed in QueuePolicy to allow SNS to send to SQS?

Question

IamRoleSNSPublishSQS:
  Type: AWS::SQS::QueuePolicy
    Properties:
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: Allow-SNS-Messages
            Effect: Allow
            Principal: 
              AWS: '*'
            Action: 
              - "SQS:*"
            Resource: {"Ref": "IncomingEmailSnsTopic"}
            Condition:
              ArnEquals:
                aws:SourceArn: !Ref 'IncomingEmailSnsTopic'
      Queues:
        - {"Ref": "MyQueue"}

That's the policy I've got (it's not failing to update the Cloudformation stack).

When I have that, the message fails to be published to the queue.

If I then update the permissions:

and check this box:

then when a message is published it does go into the queue. What's wrong with the queuepolicy?

Answer 1

In your queue policy the Resource field is currently pointing to the ARN of the SNS topic.

The Resource field should point to the resource to which the policy applies. In other words the queue's ARN (another option would be to just use a wildcard).