How do I configure my cross-account Amazon SQS endpoint to the Amazon SNS topic?

Short description

You can create a subscription from Amazon Simple Notification Service (Amazon SNS) topic as the topic owner or from the Amazon Simple Queue Service (Amazon SQS) queue as the queue owner. For the latter, the Amazon SQS queue needs the appropriate permissions to allow the queue to send messages to the Amazon SNS topic.

Resolution

Prerequisites

Make sure that your SNS topic access policy in account B has the appropriate permissions. This allows the SQS queue in account A to subscribe to the SNS topic.

Subscribe as a queue owner

As a queue owner, follow these steps to subscribe your SQS queue in account A to your SNS topic in account B:

1. Log in to the AWS Management Console, and then navigate to the Amazon SQS console in account A.
2. Choose Queues, and then select your SQS queue.
3. In the SNS subscriptions section, select Subscribe to Amazon SNS topic.
4. Select the Choose a topic from the dropdown list. Then, choose Enter Amazon SNS topic ARN.
5. Fill in your SNS topic ARN in the An Amazon SNS topic that can send notifications to an Amazon SQS queue text field.
6. Select Save.
7. Log in to the AWS Management Console, and then navigate to the Amazon SNS console in account B.
8. Choose Topics, and then select your SNS topic.
9. Verify that the subscription is confirmed for your SNS topic in account B by looking under the Subscriptions section.

Subscribe as a topic owner

As a topic owner, follow these steps to subscribe your SQS queue in another account:

Modify the access policy in account B

1. Log in to the AWS Management Console, and then navigate to the Amazon SNS console in account B
2. Choose Topics, and then select your SNS topic.
3. Select Edit on the top right of the page.
4. Expand the Access policy - optional section. Copy and paste the following access policy in the JSON editor section. (Make sure that you replace the AWS account and SNS topic ARN with your own values.) Then, choose Save changes at the bottom.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "111122223333"
      },
      "Action": "sns:Subscribe",
      "Resource": "arn:aws:sns:us-east-2:123456789012:MyTopic"
    }
  ]
}

Modify the SQS queue in account A

1. Log in to the AWS Management Console, and then navigate to the Amazon SQS console in account A.
2. Choose Queues, and then select your SQS queue.
3. Select Edit on the top right of the page.
4. Navigate to the Access policy section. Copy and paste the following access policy in the JSON editor. (Make sure that you replace the SQS Queue ARN and SNS Topic ARN with your own values.)

{
  "Sid": "Stmt1234",
  "Effect": "Allow",
  "Principal": "*",
  "Action": "sqs:SendMessage",
  "Resource": "arn:aws:sqs:us-west-2:111111111111:QueueName",
  "Condition": {
    "ArnEquals": {
      "aws:SourceArn": "arn:aws:sns:us-west-2:555555555555:TopicName"
    }
  }
}

Subscribe SQS queue from SNS topic in account B

Log in to the AWS Management Console, and then navigate to the Amazon SNS console in account B. Choose Topics, and then select your SNS topic.

1. Under Subscriptions, select Create subscription.
2. Choose the Protocol dropdown list, and then select Amazon SQS.
3. Select Create subscription.
4. Log in to the AWS Management Console, and then navigate to the Amazon SQS console in account A. Choose Queues, and then select your SQS queue.
5. Choose Send and receive messages on the top right of the page.
6. Select Poll for messages. A message from Amazon SNS appears under the Messages section.
7. Select the message ID. Locate the SubscribeURL, and then copy the URL in quotation marks.
8. Paste this URL link in your web browser.
9. Log in to the AWS Management Console, and then navigate to the Amazon SNS console in account B. Choose Topics, and then select your SNS topic.
10. Verify that the subscription is confirmed by looking at the subscription Status under Subscriptions.

Troubleshooting tips

My subscription is still pending in the SNS console when I create my subscription in the Amazon SNS console.

Use the following steps to troubleshoot the error:

• Delete your subscription, and then start over from step 9, above.
• Poll your SQS queue using the AWS CLI by using the following command to retrieve the SubscriptionURL:

aws sqs receive-message --queue-url https**:**//sqs.us-east-1.amazonaws.com/80398EXAMPLE/MyQueue --attribute-names All --message-attribute-names All --max-number-of-messages 10

Note: If you receive errors when running the CLI commands, make sure that you're using the most recent version of the AWS CLI. Copy and paste this URL in your browser to confirm the subscription. Make sure to replace the queue URL with your own.

When I copy and paste my SNS Topic Access policy, I receive an error "Couldn't set topic access policy.
Error code: InvalidParameter - Error message: An error occurred while setting the attribute access policy. Invalid parameter: Policy Error: null."

Use the following steps to troubleshoot the error:

• Copy and paste the access policy in the JSON Validator tool to make sure that the syntax of your policy is correct.
• Review your access policy to make sure that you do not have a duplicate Statement. Make sure that there's a comma after your first Statement ID.

Best practices

Authenticate your SNS subscription to your SQS queue. With this configuration, only the topic owner and subscription owner can unsubscribe the SQS queue from the SNS topic.

Related information

Sending Amazon SNS messages to an Amazon SQS queue in a different account

Allow Amazon Simple Storage Service (Amazon S3) event notifications to publish to a topic

How do I resolve authorization errors when trying to add subscribers to Amazon SNS?