Reports Engine EC2 to SQS

Verify that ReportsEngine EC2 can successfully read and delete messages from the queue via the Interface VPC Endpoint

  1. Refer to the collected output values from your CloudFormation stack. Note the value of the “SQSQueueURL” output. Also note the AWS Region where your lab is running (e.g. us-east-1). You will substitute these values into the commands below.

Ensure that your session is connected to the ReportsEngine EC2 instance. You will execute step 2 from the ReportsEngine EC2 instance bash prompt. Execute the following command to connect to the ReportsEngine EC2 instance, as needed:**

ssh ec2-user@reportsengine -i vpce.pem

  1. Execute the commands provided below AFTER (a) replacing with the value of the output SQSQueueURL from your Cloudformation stack collected in step 1. Use the receipt-handle value returned from your first sqs command, replacing in the second templatesqs command

    nslookup sqs.<region>.amazonaws.com
    aws sts get-caller-identity
    aws sqs receive-message --queue-url <sqsqueueurlvalue> --endpoint-url https://sqs.<region>.amazonaws.com --region <region>
    aws sqs delete-message --queue-url <sqsqueueurlvalue> --endpoint-url https://sqs.<region>.amazonaws.com --region <region> --receipt-handle <receipthandle>
    

Expected Behavior

The reports engine EC2 instance can read messages from SQS via the interface endpoint.

verifyfigure9

The reports engine EC2 instance can delete messages from SQS via the interface endpoint.

verifyfigure10

Why does this work ?

A. The AWS CLI signs your API request using credentials associated with the identity returned by the aws sts get-caller-identity - the reportsengine role (note: this identity has permissions to execute “sqs:ReceiveMessage” and “sqs:DeleteMessage” API calls via IAM). The call is initiated from the ReportsEngine EC2 instance. There is an inbound rule on the Interface Endpoint security group that allows all TCP inbound access from the security group used by the ReportsEngine EC2 instance. Network connectivity to the Interface Endpoint is successful.

B. The Interface Endpoint policy allows “sqs:SendMessage”, “sqs:ReceiveMessage” and “sqs:DeleteMessage” API calls to be made by any principal within the AWS account to the vpce-us-east-1-sqs-queue. The “sqs:ReceiveMessage” API call to the vpce-us-east-1-sqs-queue is permitted by the endpoint policy.

C. The SQS resource policy for the vpce-us-east-1-sqs-queue allows “sqs:SendMessage”, “sqs:ReceiveMessage” and “sqs:DeleteMessage” API calls under the condition that they originaite from the source VPC Endpoint. The condition is met and the request is fulfilled.

Note: The same evaluation process can be applied to the “sqs:DeleteMessage” API call from the ReportsEngine EC2 instance. It should also be noted that the SalesApp role is not granted “sqs:DeleteMessage” via IAM

figure30