AWS SQS permissions for AWS Lambda

Question

I'm using the AWS SQS service, and I'm having a hard time defining permissions on my SQS queue. In my setup, I'm using the AWS Lambda service, which is triggered when an object is pushed onto an S3 bucket.

However, to keep my question briefly, this is what I want to achieve:

• The object is pushed to an S3 bucket
• S3 bucket triggers AWS Lambda
• Lambda does some calculations, and push an event to my SQS queue (Permission needs to be defined)
• The application reads from SQS

As you can read from the previous use-case, I want my AWS Lambda method to be the only application, which can send a message to the SQS queue. I've tried to set a principal and a condition "sourceArn". But none of them works.

Can anyone help?

Answer 1

Lambda runs arbitrary code, it is not an AWS feature like SNS where SourceArn works pretty well.

You can attach this policy to the IAM Role which is attached to your Lambda function as a workaround.

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "Stmt1440529349000",

            "Effect": "Allow",

            "Action": [

                "sqs:SendMessage"

            ],

            "Resource": [

                "arn:aws:sqs:us-west-2:123456789012:test-queue"

            ]

        }

    ]

}