0

I have an SQS to which i want to limit the access of services allowed to send/receive.

After reading and trying out I have found that this should be doable by using an Access Policy on the SQS.

The policy i wrote:

"Version": "2012-10-17",
  "Id": "arn:aws:sqs:eu-west-1:123456789:HACKsqs03/SQSDefaultPolicy",
  "Statement": [
{
  "Sid": "Sid456789",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::123456789:role/HACKiam01"
  },
  "Action": "SQS:ReceiveMessage",
  "Resource": "arn:aws:sqs:eu-west-1:123456789HACKsqs03"
},
{
  "Sid": "Sid123456",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::123456789:role/HACKiam02"
  },
  "Action": "SQS:SendMessage",
  "Resource": "arn:aws:sqs:eu-west-1:123456789:HACKsqs03"
}
]

This policy i attached to the SQS.

The two roles where added to two different EC2 instances which i used for testing. Now both where still able to send and receive messages. I can't figure out why?

Is my policy wrong? Or am I misunderstanding the documentation?

Clarification: I need a policy that allows one instance/securitygroup/iam-role to sendmessage and one instance/sg/iam-role to receive.

superstienos
  • 124
  • 11
  • To clarify... are you saying that, while one instance should only have been able to send and another instance should only have been able to receive, both instances can send AND receive? Do those IAM Roles contain any other permissions (eg `sqs:*`)? – John Rotenstein Aug 14 '17 at 17:18
  • No, one should be able to send. And one to receive. They should not be able to do something else. – superstienos Aug 14 '17 at 17:21
  • Do those IAM Roles contain any other permissions (eg sqs:*)? – John Rotenstein Aug 14 '17 at 18:06
  • No, I made two new ones. Nothing added just names – superstienos Aug 14 '17 at 18:07
  • Well, they must be getting the permissions from somewhere. I'd recommend removing the SQS policy to see whether it prevents access. Keep removing things (SQS permissions, IAM permissions) until access stops and then you'll know what is granting them access. Also, check whether you have credentials stored on the instances that are being used instead of the permissions granted by the roles assigned to the EC2 instance. – John Rotenstein Aug 14 '17 at 18:17
  • Thanks! People F'd up with policies... – superstienos Aug 15 '17 at 08:33

1 Answers1

0

There are other policies explicitly allowing things. Thanks to Jonh Rotenstein for pointing me in the right direction:

Follow up question

superstienos
  • 124
  • 11