Queue Resource Policy

figure23

  1. Access the SQS Console in your browser at https://console.aws.amazon.com/sqs/home?region=us-east-1#
  2. Refer to the collected output values from your CloudFormation stack. Note the value of the “SQSQueueName” output. This is your SQS Queue.
  3. Select your SQS Queue in the upper pane of the AWS console. Details for the endpoint are presented in the lower pane.
  4. In the lower main pane, select the tab titled “Permissions” and then click on “Edit Policy Document (Advanced)”. A popup window appears..

Update the SQS policy in your lab

  1. Refer to the collected output values from your CloudFormation stack. Note the value of the “SQSQueueARN” output. This is your SQS Queue ARN.
  2. Replace the placeholder value “sqsexampleARN” with the queue ARN for the queue created during CloudFormation lab setup and captured from the outputs table (format will be arn:aws:sqs::exampleacctid:examplequeuename)
  3. Refer to the collected output values from your CloudFormation stack. Note the value of the “SQSVPCInterfaceEndpoint” output. This is your Interface VPC Endpoint.
  4. Replace the example vpcid string “vpce-vpceid” with the ID of the Interface VPC endpoint created during CloudFormation lab setup and captured from the outputs table (format will be vpce-xxxxx)
  5. Having updated the example policy (below) with values for your resources, update the SQS queue resource policy in the popup window…
  6. Click review changes. Click Save Changes. The queue with updated resource policy will display in the console..

SQS Queue (resource) policy template / example

 {
  "Version": "2012-10-17",
  "Id": "vpc-endpoints-lab-sqs-queue-resource-policy",
  "Statement": [
    {
      "Sid": "all-messages-sent-from-interface-vpc-endpoint",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:SendMessage",
      "Resource": "sqsexampleARN",
      "Condition": {
        "StringEquals": {
          "aws:sourceVpce": "vpce-vpceid"
        }
      }
    },
    {
      "Sid": "all-messages-received-from-interface-vpc-endpoint",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:ReceiveMessage",
      "Resource": "sqsexampleARN",
      "Condition": {
        "StringEquals": {
          "aws:sourceVpce": "vpce-vpceid"
        }
      }
    },
    {
      "Sid": "all-messages-deleted-from-interface-vpc-endpoint",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:DeleteMessage",
      "Resource": "sqsexampleARN",
      "Condition": {
        "StringEquals": {
          "aws:sourceVpce": "vpce-vpceid"
        }
      }
    }

  ]
}

Important Interface Endpoint Considerations**:

  • When you create an interface endpoint, we generate endpoint-specific DNS hostnames that you can use to communicate with the service. For AWS services and AWS Marketplace Partner services, private DNS (enabled by default) associates a private hosted zone with your VPC. The hosted zone contains a record set for the default DNS name for the service (for example, ec2.us-east-1.amazonaws.com) that resolves to the private IP addresses of the endpoint network interfaces in your VPC. This enables you to make requests to the service using its default DNS hostname instead of the endpoint-specific DNS hostnames. For example, if your existing applications make requests to an AWS service, they can continue to make requests through the interface endpoint without requiring any configuration changes. For each interface endpoint, you can choose only one subnet per Availability Zone.
  • By default, each interface endpoint can support a bandwidth of up to 10 Gbps per Availability Zone. Additional capacity can be added automatically based on your usage.
  • An interface endpoint supports TCP traffic only.
  • Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a different Region.