Allowing internal teams to only post to SQS









up vote
1
down vote

favorite












What are the best practices to let consumers of my application post events to my application queue? Note: They will need only write access to allow them to post events to the queue.



One way I could do this is to create a user with no access to aws console (just programmatic API access) and with inline policy(example policy below) to only allow "SendMessage" for the resource. Are there any security issues in doing this? What is the best way to solve this use case?




"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:123456789012:MyAppQueue"
]










share|improve this question























  • any luck trying out my answer? hope you found it helpful.
    – mostafazh
    Nov 11 at 20:28














up vote
1
down vote

favorite












What are the best practices to let consumers of my application post events to my application queue? Note: They will need only write access to allow them to post events to the queue.



One way I could do this is to create a user with no access to aws console (just programmatic API access) and with inline policy(example policy below) to only allow "SendMessage" for the resource. Are there any security issues in doing this? What is the best way to solve this use case?




"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:123456789012:MyAppQueue"
]










share|improve this question























  • any luck trying out my answer? hope you found it helpful.
    – mostafazh
    Nov 11 at 20:28












up vote
1
down vote

favorite









up vote
1
down vote

favorite











What are the best practices to let consumers of my application post events to my application queue? Note: They will need only write access to allow them to post events to the queue.



One way I could do this is to create a user with no access to aws console (just programmatic API access) and with inline policy(example policy below) to only allow "SendMessage" for the resource. Are there any security issues in doing this? What is the best way to solve this use case?




"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:123456789012:MyAppQueue"
]










share|improve this question















What are the best practices to let consumers of my application post events to my application queue? Note: They will need only write access to allow them to post events to the queue.



One way I could do this is to create a user with no access to aws console (just programmatic API access) and with inline policy(example policy below) to only allow "SendMessage" for the resource. Are there any security issues in doing this? What is the best way to solve this use case?




"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:123456789012:MyAppQueue"
]







amazon-web-services amazon-sqs






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 13 at 9:46









mostafazh

1,558718




1,558718










asked Nov 11 at 4:54









venkat Venkata

111




111











  • any luck trying out my answer? hope you found it helpful.
    – mostafazh
    Nov 11 at 20:28
















  • any luck trying out my answer? hope you found it helpful.
    – mostafazh
    Nov 11 at 20:28















any luck trying out my answer? hope you found it helpful.
– mostafazh
Nov 11 at 20:28




any luck trying out my answer? hope you found it helpful.
– mostafazh
Nov 11 at 20:28












2 Answers
2






active

oldest

votes

















up vote
0
down vote













You can use IAM users to control access to SQS. But You can also write an API that the users call with their message and your API put the message in SQS. This will make it easier for you to enable/disable access to consumers, add rate limiting, do some validation on the message's content before sending it to SQS.



You could also use AWS API Gateway (and optionally AWS Lambda) instead of building and hosting your own API endpoint. (see this and this)






share|improve this answer



























    up vote
    0
    down vote













    The best practice is to use an AWS Role with proper permissions for your application when accessing AWS services. In order to use roles, you application must be deployed in AWS.



    As far as the implementation goes, the best option (in my opinion) would be to create an API that will deal with sending messages to the SQS:



    • Create REST API using API Gateway and Lambda (for example, using Serverless framework)


    • Add permissions to the Lambda function to allow sending messages to the SQS



    • Configure authentication for the API (recommended). The options are
      APIKEY, Cognito or custom authorizer.

    With this scenario, your application will call the REST API passing all information needed to be sent to the SQS.



    Another option would be to run your custom application in AWS under a service Role that has permission to write to the SQS.






    share|improve this answer




















      Your Answer






      StackExchange.ifUsing("editor", function ()
      StackExchange.using("externalEditor", function ()
      StackExchange.using("snippets", function ()
      StackExchange.snippets.init();
      );
      );
      , "code-snippets");

      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "1"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53245962%2fallowing-internal-teams-to-only-post-to-sqs%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      0
      down vote













      You can use IAM users to control access to SQS. But You can also write an API that the users call with their message and your API put the message in SQS. This will make it easier for you to enable/disable access to consumers, add rate limiting, do some validation on the message's content before sending it to SQS.



      You could also use AWS API Gateway (and optionally AWS Lambda) instead of building and hosting your own API endpoint. (see this and this)






      share|improve this answer
























        up vote
        0
        down vote













        You can use IAM users to control access to SQS. But You can also write an API that the users call with their message and your API put the message in SQS. This will make it easier for you to enable/disable access to consumers, add rate limiting, do some validation on the message's content before sending it to SQS.



        You could also use AWS API Gateway (and optionally AWS Lambda) instead of building and hosting your own API endpoint. (see this and this)






        share|improve this answer






















          up vote
          0
          down vote










          up vote
          0
          down vote









          You can use IAM users to control access to SQS. But You can also write an API that the users call with their message and your API put the message in SQS. This will make it easier for you to enable/disable access to consumers, add rate limiting, do some validation on the message's content before sending it to SQS.



          You could also use AWS API Gateway (and optionally AWS Lambda) instead of building and hosting your own API endpoint. (see this and this)






          share|improve this answer












          You can use IAM users to control access to SQS. But You can also write an API that the users call with their message and your API put the message in SQS. This will make it easier for you to enable/disable access to consumers, add rate limiting, do some validation on the message's content before sending it to SQS.



          You could also use AWS API Gateway (and optionally AWS Lambda) instead of building and hosting your own API endpoint. (see this and this)







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 11 at 13:09









          mostafazh

          1,558718




          1,558718






















              up vote
              0
              down vote













              The best practice is to use an AWS Role with proper permissions for your application when accessing AWS services. In order to use roles, you application must be deployed in AWS.



              As far as the implementation goes, the best option (in my opinion) would be to create an API that will deal with sending messages to the SQS:



              • Create REST API using API Gateway and Lambda (for example, using Serverless framework)


              • Add permissions to the Lambda function to allow sending messages to the SQS



              • Configure authentication for the API (recommended). The options are
                APIKEY, Cognito or custom authorizer.

              With this scenario, your application will call the REST API passing all information needed to be sent to the SQS.



              Another option would be to run your custom application in AWS under a service Role that has permission to write to the SQS.






              share|improve this answer
























                up vote
                0
                down vote













                The best practice is to use an AWS Role with proper permissions for your application when accessing AWS services. In order to use roles, you application must be deployed in AWS.



                As far as the implementation goes, the best option (in my opinion) would be to create an API that will deal with sending messages to the SQS:



                • Create REST API using API Gateway and Lambda (for example, using Serverless framework)


                • Add permissions to the Lambda function to allow sending messages to the SQS



                • Configure authentication for the API (recommended). The options are
                  APIKEY, Cognito or custom authorizer.

                With this scenario, your application will call the REST API passing all information needed to be sent to the SQS.



                Another option would be to run your custom application in AWS under a service Role that has permission to write to the SQS.






                share|improve this answer






















                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  The best practice is to use an AWS Role with proper permissions for your application when accessing AWS services. In order to use roles, you application must be deployed in AWS.



                  As far as the implementation goes, the best option (in my opinion) would be to create an API that will deal with sending messages to the SQS:



                  • Create REST API using API Gateway and Lambda (for example, using Serverless framework)


                  • Add permissions to the Lambda function to allow sending messages to the SQS



                  • Configure authentication for the API (recommended). The options are
                    APIKEY, Cognito or custom authorizer.

                  With this scenario, your application will call the REST API passing all information needed to be sent to the SQS.



                  Another option would be to run your custom application in AWS under a service Role that has permission to write to the SQS.






                  share|improve this answer












                  The best practice is to use an AWS Role with proper permissions for your application when accessing AWS services. In order to use roles, you application must be deployed in AWS.



                  As far as the implementation goes, the best option (in my opinion) would be to create an API that will deal with sending messages to the SQS:



                  • Create REST API using API Gateway and Lambda (for example, using Serverless framework)


                  • Add permissions to the Lambda function to allow sending messages to the SQS



                  • Configure authentication for the API (recommended). The options are
                    APIKEY, Cognito or custom authorizer.

                  With this scenario, your application will call the REST API passing all information needed to be sent to the SQS.



                  Another option would be to run your custom application in AWS under a service Role that has permission to write to the SQS.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 11 at 15:09









                  dk-na

                  513




                  513



























                       

                      draft saved


                      draft discarded















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53245962%2fallowing-internal-teams-to-only-post-to-sqs%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      這個網誌中的熱門文章

                      How to read a connectionString WITH PROVIDER in .NET Core?

                      Node.js Script on GitHub Pages or Amazon S3

                      Museum of Modern and Contemporary Art of Trento and Rovereto