amazon-web-servicesamazon-iamamazon-sqs

How to extend sqs queue default policy


I have sqs queue, which has no policy defined. Queue is not owned by me, I have no idea how it is used, and I do not want to break it. I need to add permission for sending messages from different account, i.e.:

{
   "Version": "2012-10-17",
   "Id": "Queue1_Policy_UUID",
   "Statement": [{
      "Sid":"Queue1_Send_Receive",
      "Effect": "Allow",
      "Principal": { "AWS": [ "111122223333" ] },
      "Action": [ "sqs:SendMessage" ],
      "Resource": "arn:aws:sqs:us-east-1:my-queue"
   }]
}

Adding such policy to queue will override default policy which grants full access to account which created the queue. I cannot find definition/equivalent of this default policy.

How can I add my statement to the queue's resource policy without breaking access in the account owning the queue?


Solution

  • To obtain a 'default' policy, simply create a new SQS Queue. It will display a policy like this:

    {
      "Version": "2012-10-17",
      "Id": "__default_policy_ID",
      "Statement": [
        {
          "Sid": "__owner_statement",
          "Effect": "Allow",
          "Principal": {
            "AWS": "111111111111"
          },
          "Action": [
            "SQS:*"
          ],
          "Resource": "arn:aws:sqs:ap-southeast-2:111111111111:queue-name"
        }
      ]
    }