AWS — SQS Access Using IAM Assume Roles

Limiting SQS access using assumed role by an EC2 instance hosted in specific subnet with CIDR.

AWS Console

Step 1: AWS → IAM → Create Instance Role “fom-instance-role” for EC2

• Spin on EC2 instance with “fom-instance-role” assigned.
• EC2 instance is provisioned in subnet with CIDR range 10.88.12.0/22

Step 2: Create User Policy “fom-svc-policy”

Step 3: Create User “fom-svc”

• Generate Credentials and download it.

Step 4: Edit Instance Role “fom-instance-role”

• Add Permissions “fom-svc-policy” as existing policy
• Add Trust Relationships

Step 5: Create SQS Queue

• SQS queue arn:aws:iam::012345678901:role/fom-queue
• Add Permissions for fom-instance-role hosted in CIDR 10.88.12.0/22
  - Permission to Read/Send/Delete message.
• SQS → Permission → Edit Policy

AWS EC2

Step 1: AWS Configure

• ssh to EC2 instance
• Configure AWS CLI with credentials of “fom-svc”

Step 2: Setup Proxy (Optional)

export HTTPS_PROXY=https://my.proxy.server:port/
export HTTP_PROXY=http://my.proxy.server:port/

Step 3: Assume Role

Step 4: Configure STS token

Step 5: Send Message to Q