How do I configure my cross-account Amazon SQS endpoint to the Amazon SNS topic ?

8 minute read

I have an Amazon Simple Queue Service (Amazon SQS) queue in account A. I want to subscribe this queue to my Amazon Simple Notification Service (Amazon SNS) topic in account B.

Short description

Create a subscription from Amazon SNS topic as the topic owner. Or, create the subscription from the Amazon SQS queue as the queue owner. To successfully create the subscription, both approaches must have appropriate permissions.

Resolution

Prerequisites:

To subscribe as a queue owner, make sure that your SNS topic access policy in account B has the appropriate permissions. These permissions allow the SQS queue in account A to subscribe to the SNS topic.
To subscribe as a topic owner, make sure that your SQS queue access policy in account A has the appropriate permissions. Account A must have permissions to allow the SNS topic to send the subscription confirmation URL.

Subscribe as a queue owner

Modify the SNS access policy in account B

Log in to the Amazon SNS console in account B.
Switch to the appropriate AWS Region.
Choose Topics, and then select your SNS topic.
Choose Edit.
Expand the Access policy section.

Copy and paste the following access policy in the JSON editor section:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "111122223333"
      },
      "Action": "sns:Subscribe",
      "Resource": "arn:aws:sns:Region:account-id:topic-name"
    }
  ]
}

Note: Replace the AWS Account and SNS topic ARN with your values.

Choose Save.

As a queue owner, complete the following steps to subscribe your SQS queue in account A to your SNS topic in account B:

Log in to the Amazon SQS console in account A.
Switch to the appropriate Region.
Choose Queues, and then select your SQS queue.
In the SNS subscriptions section, select Subscribe to Amazon SNS topic.
Under Specify an Amazon SNS topic available for this queue, select the dropdown. Then, choose Enter Amazon SNS topic ARN.
In the An Amazon SNS topic that can send notifications to an Amazon SQS queue text field, enter your SNS topic ARN.
Choose Save.
Log in to the Amazon SNS console in account B.
Choose Topics, and then select your SNS topic.

To verify that the subscription is confirmed for your SNS topic in account B, review the Subscriptions section.
Note: After you create the subscription, a statement is added to the SQS queue access policy. The policy allows the SNS topic to send messages to your queue. The policy looks similar to the following:

{
      "Sid": "topic-subscription-arn:aws:sns:Region:account-id:topic-name",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:Region:account-id:queue-name",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:sns:Region:account-id:topic-name"
        }
      }
    }

Subscribe as a topic owner

Modify the SQS queue in account A

Log in to the Amazon SQS console in account A.
Switch to the appropriate Region.
Choose Queues, and then select your SQS queue.
Choose Edit.
Expand the Access policy section.

Copy and paste the following access policy in the JSON editor:

{
      "Sid": "Allow_SNS_topic_in_Account_B_to_Send_Message",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:Region:account-id:queue-name",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:sns:Region:account-id:topic-name"
        }
      }
    }

Note: Replace the SQS Queue ARN and SNS topic ARN with your values.

As a topic owner, complete the followings steps to subscribe your SQS queue in another account:

Log in to the Amazon SNS console in account B.
Switch to the appropriate Region.
Choose Topics, and then select your SNS topic.
Under Subscriptions, select Create subscription.
Choose the Protocol dropdown list, and then select Amazon SQS.
Select Create subscription.
To confirm the subscription, log in to the Amazon SQS console in account A.
Choose Queues, and then select the subscribed SQS queue.
Choose Send and receive messages.
Select Poll for messages. A message from Amazon SNS appears under the Messages section.
Select the message ID. Under the SubscribeURL, copy the URL in quotation marks.
To see the ConfirmSubscriptionResult with SubscriptionArn, paste this URL link in your web browser and press Enter.
Log in to the Amazon SNS console in account B.
Choose Topics, and then select your SNS topic.
To verify that the subscription is confirmed, review the subscription status under Subscriptions. The subscription status changes from Pending confirmation to Confirmed.

Note: Because the subscription is owned by the SNS account, you can't see the subscription listed in the SQS console.

Troubleshooting tips

My SQS queue is encrypted

SQS queues that are encrypted with an AWS Key Management Service (AWS KMS) key can restrict access between accounts. If you don't define a key for your encrypted queue, then the queue uses AWS KMS key (SSE-KMS) as the default key. This key allows access only for principals in the same account. For more information, see Encryption at rest in Amazon SQS.

To access encrypted queues that use SSE-KMS, create a customer managed AWS KMS key. Then, add permissions in the key policy that allow the SNS service to make the AWS KMS API calls.

To allow the SNS service to use the GenerateDataKey and Decrypt API methods, add the following statement to the customer managed key policy:

{
      "Effect": "Allow",
      "Principal": {
            "Service": "sns.amazonaws.com"
      },
      "Action": [
            "kms:GenerateDataKey*",
            "kms:Decrypt"
      ],
      "Resource": "*"
}

For more information, see Configuring server-side encryption (SSE) for a queue (console).

My subscription is still pending in the SNS console when I create my subscription in the Amazon SNS console

To troubleshoot this error, use the following steps:

Delete your subscription. Then, start from step 13 in the preceding steps.

To use the AWS Command Line Interface (AWS CLI) to poll your SQS queue, run the following command to retrieve the SubscriptionURL:

aws sqs receive-message --queue-url https**:**//sqs.us-east-1.amazonaws.com/80398EXAMPLE/MyQueue --attribute-names All --message-attribute-names All --max-number-of-messages 10

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Copy and paste this URL in your browser to confirm the subscription. Make sure to replace the queue URL with your own.

When I copy and paste my SNS Topic Access policy, I receive an error "Couldn't set topic access policy.

Error code: InvalidParameter - Error message: An error occurred while setting the attribute access policy. Invalid parameter: Policy Error: null."

Use the following steps to troubleshoot the error:

To make sure that the syntax of your policy is correct, copy and paste the access policy to the JSON Validator tool website.
Review your access policy to make sure that you don't have a duplicate Statement. Make sure that there's a comma after your first Statement ID.

My subscription ID shows as "Deleted" in the Amazon SNS console

In cross account integration of SNS and SQS, owner of the subscription is determined by from where the subscription is created.

If the subscription is created from SQS account, then SQS is the owner of subscription. If the subscription is created from SNS account, then SNS is the owner of subscription.

If you call the Unsubscribe API from an account that doesn't own the subscription, then the subscription enters the Deleted status. Or, if you try to delete the subscription from the console, then the subscription enters Deleted status. While the SNS topic subscription is in Deleted status, the account that owns the subscription can't resubscribe the same endpoint to the topic.

After 48 hours, Amazon SNS clears the Deleted subscription and the account that owns the subscription can resubscribe the same endpoint to the topic.

To resubscribe before 48 hours, call the Subscribe API from the AWS Account that owns the SNS topic to recreate the subscription.

Best practices

Authenticate your SNS subscription to your SQS queue. With this configuration, only the topic owner and subscription owner can unsubscribe the SQS queue from the SNS topic.

Related information

Sending Amazon SNS messages to an Amazon SQS queue in a different account

Allow Amazon Simple Storage Service (Amazon S3) event notifications to publish to a topic

How do I resolve authorization errors when trying to add subscribers to an Amazon SNS topic?

Understanding the data key reuse period

Topics

Application Integration

Relevant content

While trying to create an SNS subscription, after choosing a topic, all protocols except SQS disappear
rePost-User-7354306
asked 2 years ago
Amazon SNS: Unable to find ARN for topic subscription
Accepted Answer
amazon-linux-2022
asked 2 years ago
SNS as message broker - Where and when to create the SNS topics?
rePost-User-2039535
asked a year ago
SNS Topic encryption
pradeep
asked 3 months ago
AWS Marketplace SNS topic
frabek
asked 2 months ago
Why can't I delete my Amazon SNS topic subscription?
AWS OFFICIALUpdated 6 months ago
How can I get my Amazon SQS subscription to successfully receive a notification from my Amazon SNS topic?
AWS OFFICIALUpdated 8 months ago
How do I recreate a "Deleted" Amazon SNS topic subscription for an Amazon SQS queue in another AWS account?
AWS OFFICIALUpdated 5 months ago
How do I create a subscription between my Amazon SQS queue and an Amazon SNS topic in CloudFormation?
AWS OFFICIALUpdated 2 years ago
Create custom alerts in Amazon Redshift
EXPERT
Rick Fraser
published 7 months ago