Permissions required to make cross region and cross account call from Lambda to SQS queue

Question

What permissions are required to make cross region and cross account call from lambda to sqs .Context- I want my lambda to write to two different SQS queue in a different account - one queue is in same region , other in a different region .

Jainam · Answer

To enable your Lambda function to write messages to SQS queues in different accounts and regions, you need two sets of permissions:

## 1. Lambda Execution Role Permissions

Add the following policy to your Lambda execution role:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sqs:SendMessage",
      "Resource": [
        "arn:aws:sqs:same-region:target-account-id:queue-name",
        "arn:aws:sqs:different-region:target-account-id:queue-name"
      ]
    }
  ]
}
```

## 2. SQS Queue Policies

Each target SQS queue must have a policy allowing your Lambda's account to send messages:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::lambda-account-id:role/lambda-execution-role"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:region:target-account-id:queue-name"
    }
  ]
}
```

Apply this policy to both queues, adjusting the region and queue name for each.

The location of the queues (same or different region) doesn't change the permission model - you just need to specify the correct queue ARNs in both policies.

For more details:
- [Cross-Account Access](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-authentication-and-access-control.html)
- [Lambda Execution Role](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html)

Permissions required to make cross region and cross account call from Lambda to SQS queue

1. Lambda Execution Role Permissions

2. SQS Queue Policies

Add your answer

Relevant content