AWS CloudFormation Restricting SNS to specific SQS Queues only
Question
I'm modifying an AWS CloudFormation template with the intention of ensuring that SNS Topic A is the only topic that can publish to SQS Queue 1 and SQS Queue 2 . This is what I have:
SomeOtherQueue:
Type: AWS::SQS::Queue
InboundQueue:
Type: AWS::SQS::Queue
InboundCopyQueue:
Type: AWS::SQS::Queue
InboundTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint:
Fn::GetAtt:
- InboundQueue
- Arn
Protocol: sqs
InboundQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Id: InboundQueuePolicy
Statement:
- Sid: Allow-SendMessage-To-Inbound-Queue-Only
Effect: Allow
Principal:
Service:
- sns.amazonaws.com
Action:
- sqs:SendMessage
Resource: "*"
Queues:
- Ref: InboundQueue
- Ref: InboundCopyQueue
The above defines a set of queues, a topic with a subscription to some the relevant queues and a queue policy that is meant to restrict which topic can publish to the referenced queues.
What I'm trying to understand is how to go about ensuring that InboundQueuePolicy applies to InboundTopic only. I cannot seem to find the correct syntax for referencing InboundTopic as the resource for InboundQueuePolicy .
Any assistance with getting the correct syntax would be greatly appreciated.
Thanks
1 answers
solution1
0 2020-02-07 04:01:13
I believe you could add a condition to your policy that uses the aws:SourceArn key. AWS Global Condition Context Keys - Source ARN
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.