Subscribe S3 events to SQS queue without exposing SQS to the world?

Question

I am struggling with what I would think would be a simple task.

I want to configure my SQS queue to allow S3 buckets in my account to send messages, but disallow outsiders to send messages. (Outsiders means any principal that is not a member of my AWS account)

The only SQS permission configuration that I can get to work is Effect=Allow, Principals=*, Actions=SQS:SendMessage, Conditions=None

Any other permission causes me to see this error when I create the [S3 event -> SQS]: Unable to validate the following destination configurations. Permissions on the destination queue do not allow S3 to publish notifications from this bucket.

Principals=* concerns me. From the documentation I can find, this means that the SQS queue is accessible from anyone in the world. Is this true? This is obviously very bad.

How can I allow my S3 buckets to SendMessage to my SQS queue, and not anonymous users to push messages?

It is acceptable to me to allow any resource in my AWS account to SendMessage to SQS. I just need to block access to anonymous AWS users. This is a very basic requirement and I'm very surprised that I can't find a simple way to do this.

Answer 1

Find the secure config right in the document:

   "Condition": {

      "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" }

   }

Note that for both the Amazon SNS and Amazon SQS IAM policies, you can specify the StringLike condition in the policy:

"Condition": {         

  "StringLike": { "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" }

  }  

Example provided in the doc:

{

   "Sid": "example-statement-ID",

   "Effect": "Allow",

   "Principal": {

     "AWS": "*"  

   },

   "Action": [

    "SQS:SendMessage"

   ],

   "Resource": "SQS-ARN",

   "Condition": {

      "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" }

   }

  }