Allowing internal teams to only post to SQS
up vote
1
down vote
favorite
What are the best practices to let consumers of my application post events to my application queue? Note: They will need only write access to allow them to post events to the queue.
One way I could do this is to create a user with no access to aws console (just programmatic API access) and with inline policy(example policy below) to only allow "SendMessage" for the resource. Are there any security issues in doing this? What is the best way to solve this use case?
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:123456789012:MyAppQueue"
}]
}
amazon-web-services amazon-sqs
edited Nov 13 at 9:46
mostafazh
1,533718
asked Nov 11 at 4:54
venkat Venkata
111
add a comment |
up vote
1
down vote
favorite
What are the best practices to let consumers of my application post events to my application queue? Note: They will need only write access to allow them to post events to the queue.
One way I could do this is to create a user with no access to aws console (just programmatic API access) and with inline policy(example policy below) to only allow "SendMessage" for the resource. Are there any security issues in doing this? What is the best way to solve this use case?
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:123456789012:MyAppQueue"
}]
}
amazon-web-services amazon-sqs
edited Nov 13 at 9:46
mostafazh
1,533718
asked Nov 11 at 4:54
venkat Venkata
111
any luck trying out my answer? hope you found it helpful.
– mostafazh
Nov 11 at 20:28
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
What are the best practices to let consumers of my application post events to my application queue? Note: They will need only write access to allow them to post events to the queue.
One way I could do this is to create a user with no access to aws console (just programmatic API access) and with inline policy(example policy below) to only allow "SendMessage" for the resource. Are there any security issues in doing this? What is the best way to solve this use case?
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:123456789012:MyAppQueue"
}]
}
amazon-web-services amazon-sqs
edited Nov 13 at 9:46
mostafazh
1,533718
asked Nov 11 at 4:54
venkat Venkata
111
What are the best practices to let consumers of my application post events to my application queue? Note: They will need only write access to allow them to post events to the queue.
One way I could do this is to create a user with no access to aws console (just programmatic API access) and with inline policy(example policy below) to only allow "SendMessage" for the resource. Are there any security issues in doing this? What is the best way to solve this use case?
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:123456789012:MyAppQueue"
}]
}
amazon-web-services amazon-sqs
amazon-web-services amazon-sqs
edited Nov 13 at 9:46
mostafazh
1,533718
asked Nov 11 at 4:54
venkat Venkata
111
edited Nov 13 at 9:46
mostafazh
1,533718
asked Nov 11 at 4:54
venkat Venkata
111
edited Nov 13 at 9:46
mostafazh
1,533718
edited Nov 13 at 9:46
mostafazh
1,533718
edited Nov 13 at 9:46
mostafazh
1,533718
1,533718
asked Nov 11 at 4:54
venkat Venkata
111
asked Nov 11 at 4:54
venkat Venkata
111
asked Nov 11 at 4:54
venkat Venkata
111
111
any luck trying out my answer? hope you found it helpful.
– mostafazh
Nov 11 at 20:28
add a comment |
any luck trying out my answer? hope you found it helpful.
– mostafazh
Nov 11 at 20:28
any luck trying out my answer? hope you found it helpful.
– mostafazh
Nov 11 at 20:28
any luck trying out my answer? hope you found it helpful.
– mostafazh
Nov 11 at 20:28
add a comment |
2 Answers
2
active
oldest
votes
up vote
0
down vote
You can use IAM users to control access to SQS. But You can also write an API that the users call with their message and your API put the message in SQS. This will make it easier for you to enable/disable access to consumers, add rate limiting, do some validation on the message's content before sending it to SQS.
You could also use AWS API Gateway (and optionally AWS Lambda) instead of building and hosting your own API endpoint. (see this and this)
answered Nov 11 at 13:09
mostafazh
1,533718
add a comment |
up vote
0
down vote
The best practice is to use an AWS Role with proper permissions for your application when accessing AWS services. In order to use roles, you application must be deployed in AWS.
As far as the implementation goes, the best option (in my opinion) would be to create an API that will deal with sending messages to the SQS:
Create REST API using API Gateway and Lambda (for example, using Serverless framework)
Add permissions to the Lambda function to allow sending messages to the SQS
Configure authentication for the API (recommended). The options are
APIKEY, Cognito or custom authorizer.
With this scenario, your application will call the REST API passing all information needed to be sent to the SQS.
Another option would be to run your custom application in AWS under a service Role that has permission to write to the SQS.
answered Nov 11 at 15:09
dk-na
513
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
You can use IAM users to control access to SQS. But You can also write an API that the users call with their message and your API put the message in SQS. This will make it easier for you to enable/disable access to consumers, add rate limiting, do some validation on the message's content before sending it to SQS.
You could also use AWS API Gateway (and optionally AWS Lambda) instead of building and hosting your own API endpoint. (see this and this)
answered Nov 11 at 13:09
mostafazh
1,533718
add a comment |
up vote
0
down vote
You can use IAM users to control access to SQS. But You can also write an API that the users call with their message and your API put the message in SQS. This will make it easier for you to enable/disable access to consumers, add rate limiting, do some validation on the message's content before sending it to SQS.
You could also use AWS API Gateway (and optionally AWS Lambda) instead of building and hosting your own API endpoint. (see this and this)
answered Nov 11 at 13:09
mostafazh
1,533718
add a comment |
up vote
0
down vote
up vote
0
down vote
You can use IAM users to control access to SQS. But You can also write an API that the users call with their message and your API put the message in SQS. This will make it easier for you to enable/disable access to consumers, add rate limiting, do some validation on the message's content before sending it to SQS.
You could also use AWS API Gateway (and optionally AWS Lambda) instead of building and hosting your own API endpoint. (see this and this)
answered Nov 11 at 13:09
mostafazh
1,533718
You can use IAM users to control access to SQS. But You can also write an API that the users call with their message and your API put the message in SQS. This will make it easier for you to enable/disable access to consumers, add rate limiting, do some validation on the message's content before sending it to SQS.
You could also use AWS API Gateway (and optionally AWS Lambda) instead of building and hosting your own API endpoint. (see this and this)
answered Nov 11 at 13:09
mostafazh
1,533718
answered Nov 11 at 13:09
mostafazh
1,533718
answered Nov 11 at 13:09
mostafazh
1,533718
answered Nov 11 at 13:09
mostafazh
1,533718
1,533718
add a comment |
add a comment |
up vote
0
down vote
The best practice is to use an AWS Role with proper permissions for your application when accessing AWS services. In order to use roles, you application must be deployed in AWS.
As far as the implementation goes, the best option (in my opinion) would be to create an API that will deal with sending messages to the SQS:
Create REST API using API Gateway and Lambda (for example, using Serverless framework)
Add permissions to the Lambda function to allow sending messages to the SQS
Configure authentication for the API (recommended). The options are
APIKEY, Cognito or custom authorizer.
With this scenario, your application will call the REST API passing all information needed to be sent to the SQS.
Another option would be to run your custom application in AWS under a service Role that has permission to write to the SQS.
answered Nov 11 at 15:09
dk-na
513
add a comment |
up vote
0
down vote
The best practice is to use an AWS Role with proper permissions for your application when accessing AWS services. In order to use roles, you application must be deployed in AWS.
As far as the implementation goes, the best option (in my opinion) would be to create an API that will deal with sending messages to the SQS:
Create REST API using API Gateway and Lambda (for example, using Serverless framework)
Add permissions to the Lambda function to allow sending messages to the SQS
Configure authentication for the API (recommended). The options are
APIKEY, Cognito or custom authorizer.
With this scenario, your application will call the REST API passing all information needed to be sent to the SQS.
Another option would be to run your custom application in AWS under a service Role that has permission to write to the SQS.
answered Nov 11 at 15:09
dk-na
513
add a comment |
up vote
0
down vote
up vote
0
down vote
The best practice is to use an AWS Role with proper permissions for your application when accessing AWS services. In order to use roles, you application must be deployed in AWS.
As far as the implementation goes, the best option (in my opinion) would be to create an API that will deal with sending messages to the SQS:
Create REST API using API Gateway and Lambda (for example, using Serverless framework)
Add permissions to the Lambda function to allow sending messages to the SQS
Configure authentication for the API (recommended). The options are
APIKEY, Cognito or custom authorizer.
With this scenario, your application will call the REST API passing all information needed to be sent to the SQS.
Another option would be to run your custom application in AWS under a service Role that has permission to write to the SQS.
answered Nov 11 at 15:09
dk-na
513
The best practice is to use an AWS Role with proper permissions for your application when accessing AWS services. In order to use roles, you application must be deployed in AWS.
As far as the implementation goes, the best option (in my opinion) would be to create an API that will deal with sending messages to the SQS:
Create REST API using API Gateway and Lambda (for example, using Serverless framework)
Add permissions to the Lambda function to allow sending messages to the SQS
Configure authentication for the API (recommended). The options are
APIKEY, Cognito or custom authorizer.
With this scenario, your application will call the REST API passing all information needed to be sent to the SQS.
Another option would be to run your custom application in AWS under a service Role that has permission to write to the SQS.
answered Nov 11 at 15:09
dk-na
513
answered Nov 11 at 15:09
dk-na
513
answered Nov 11 at 15:09
dk-na
513
answered Nov 11 at 15:09
dk-na
513
513
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53245962%2fallowing-internal-teams-to-only-post-to-sqs%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
any luck trying out my answer? hope you found it helpful.
– mostafazh
Nov 11 at 20:28