Cross-stack AWS SQS Permissions

This took multiple days to figure out, which is slightly embarrassing. I’m documenting the solution here to hopefully save you some time.

OK, so let’s say you have two AWS Cloud Formation stacks. For simplicity, we’ll call them sender and receiver. The receiver owns the queue (it was created as part of the receiver stack). You need to grant the sender permission to add messages to the queue. Here’s a visual:

Send message from one stack to another user SQS.

Seems simple right? Well, the solution is pretty simple. Here you go. You’re welcome!

Assuming you are encrypting your messages you’ll need to grant the sender access to the KMS key. This needs to go in the receiver stack (CDK):

Allow the sender access to encrypt using the KMS key of your receiver.

Then grant access to send messages. This is also in the receiver stack (CDK):

Allow the sender to send messages to your receiver queue.

Presto. Your sender now has access to send messages to the receiver queue.

I know. Simple right?

Note: There are multiple ways to enable permissions. The goal was to grant access from the receiver stack (which owns the queue). It’s also possible to grant access from the sender stack … but this seemed less secure. Sender stacks should not grant themselves access to resources the don’t own.