1
00:00:00,510 --> 00:00:01,470
‫Now let's talk about

2
00:00:01,470 --> 00:00:03,890
‫SQS Queue Access Policies.

3
00:00:03,890 --> 00:00:05,560
‫And there are two good use cases

4
00:00:05,560 --> 00:00:07,310
‫for SQS Queue Access Policies.

5
00:00:07,310 --> 00:00:10,450
‫They're similar to S3 Bucket policies

6
00:00:10,450 --> 00:00:12,790
‫in terms that they are resource policies,

7
00:00:12,790 --> 00:00:14,420
‫so JSON IAM policies

8
00:00:14,420 --> 00:00:17,490
‫that you're going to add directly onto your SQS Queue.

9
00:00:17,490 --> 00:00:20,450
‫So the first use cases to allow cross account access.

10
00:00:20,450 --> 00:00:23,000
‫Say you have a queue in an account

11
00:00:23,000 --> 00:00:25,480
‫and another account needs to access that queue.

12
00:00:25,480 --> 00:00:27,550
‫Maybe it has an EC2 Instance.

13
00:00:27,550 --> 00:00:29,370
‫So for that EC2 Instance to be able

14
00:00:29,370 --> 00:00:31,860
‫to pull message across accounts,

15
00:00:31,860 --> 00:00:35,770
‫what you need to do is to create a Queue Access Policy

16
00:00:35,770 --> 00:00:37,150
‫that looks like this,

17
00:00:37,150 --> 00:00:40,290
‫and you attach it to the SQS Queue in the first account.

18
00:00:40,290 --> 00:00:42,330
‫What this Q access policy will do

19
00:00:42,330 --> 00:00:45,894
‫is that it will allow the principle of AWS to be

20
00:00:45,894 --> 00:00:47,610
‫111122223333,

21
00:00:47,610 --> 00:00:50,760
‫which represents the account on the right hand side

22
00:00:50,760 --> 00:00:54,940
‫on the sqs ReceiveMessage on this resource right here.

23
00:00:54,940 --> 00:00:58,110
‫And so this Queue Access Policy is really what

24
00:00:58,110 --> 00:00:59,870
‫will allow your EC2 Instance

25
00:00:59,870 --> 00:01:03,190
‫to pull from the SQS Queue in another account.

26
00:01:03,190 --> 00:01:06,980
‫Another use case for SQS Queue Access Policy

27
00:01:06,980 --> 00:01:07,813
‫is for example,

28
00:01:07,813 --> 00:01:08,810
‫when you have an S3 Bucket,

29
00:01:08,810 --> 00:01:13,160
‫and it will publish event notifications to an SQS Queue.

30
00:01:13,160 --> 00:01:16,310
‫So for example, you upload an object into an S3 Bucket,

31
00:01:16,310 --> 00:01:18,090
‫and what you want is to get automatically

32
00:01:18,090 --> 00:01:21,160
‫a message sent to the SQS Queue.

33
00:01:21,160 --> 00:01:22,710
‫As you can see the SQS Queue,

34
00:01:22,710 --> 00:01:26,040
‫wIll need to give permission to the S3 Bucket

35
00:01:26,040 --> 00:01:27,680
‫to write a message to it.

36
00:01:27,680 --> 00:01:30,330
‫And therefore we need to create our own

37
00:01:31,170 --> 00:01:33,770
‫SQS Queue Access Policy that looks like this.

38
00:01:33,770 --> 00:01:35,720
‫And if you look at the details for example,

39
00:01:35,720 --> 00:01:38,230
‫the action is sqs:SendMessage,

40
00:01:38,230 --> 00:01:40,770
‫the principal, AWS starts from any accounts

41
00:01:40,770 --> 00:01:45,060
‫as long as the condition is that the sourceArn of the bucket

42
00:01:45,060 --> 00:01:47,800
‫represents the S3 Bucket named bucket1,

43
00:01:47,800 --> 00:01:50,280
‫and that the source accounts needs to be

44
00:01:50,280 --> 00:01:52,380
‫the account owner of the S3 buckets.

45
00:01:52,380 --> 00:01:53,240
‫So once you have this,

46
00:01:53,240 --> 00:01:56,280
‫then the S3 bucket is allowed to write to an SQS Queue.

47
00:01:56,280 --> 00:01:57,180
‫That's something important

48
00:01:57,180 --> 00:01:59,230
‫because the exam will test you on, for example,

49
00:01:59,230 --> 00:02:01,640
‫what is needed to write to SQS Queue

50
00:02:01,640 --> 00:02:02,810
‫for cross account access

51
00:02:02,810 --> 00:02:05,180
‫or for are publishing S3 event notifications.

52
00:02:05,180 --> 00:02:06,230
‫So there you have it.

53
00:02:07,270 --> 00:02:08,560
‫So let's create a queue

54
00:02:08,560 --> 00:02:10,640
‫and set up an SQS Queue Access Policy.

55
00:02:10,640 --> 00:02:13,750
‫So I'll call this one events from S3,

56
00:02:13,750 --> 00:02:16,400
‫because we're going to set up an S3 event notification

57
00:02:16,400 --> 00:02:18,520
‫to go into this SQS Queue.

58
00:02:18,520 --> 00:02:20,920
‫I will keep everything else as the default.

59
00:02:20,920 --> 00:02:22,120
‫Oh, and as we can see,

60
00:02:22,120 --> 00:02:24,220
‫the SQS Access Policy is here.

61
00:02:24,220 --> 00:02:27,910
‫And so here we can define what kind of services

62
00:02:27,910 --> 00:02:30,350
‫can send data into our SQS Queue.

63
00:02:30,350 --> 00:02:32,060
‫So if we choose the basic method,

64
00:02:32,060 --> 00:02:34,410
‫then we can select only the queue owner

65
00:02:34,410 --> 00:02:35,900
‫to send data into our SQS Queue

66
00:02:35,900 --> 00:02:37,870
‫which would represent this,

67
00:02:37,870 --> 00:02:40,560
‫or we can select only the specified accounts,

68
00:02:40,560 --> 00:02:42,960
‫IAM users and roles specified right here.

69
00:02:42,960 --> 00:02:45,650
‫So this is one to get cross or accounts access

70
00:02:45,650 --> 00:02:47,550
‫for who can send messages to the queue.

71
00:02:47,550 --> 00:02:48,670
‫We have the same dialogue for

72
00:02:48,670 --> 00:02:50,390
‫who can receive messages from the queue.

73
00:02:50,390 --> 00:02:51,223
‫Okay.

74
00:02:51,223 --> 00:02:54,110
‫Message is not going to help us for Amazon is free

75
00:02:54,110 --> 00:02:55,710
‫or we can do advanced and write

76
00:02:55,710 --> 00:02:59,560
‫our own SQS Queue Access Policy for this.

77
00:02:59,560 --> 00:03:00,510
‫So in the meantime,

78
00:03:00,510 --> 00:03:01,760
‫I'm just gonna choose Basic.

79
00:03:01,760 --> 00:03:03,620
‫Show you that things don't work in the beginning,

80
00:03:03,620 --> 00:03:05,130
‫and then we're going to modify it

81
00:03:05,130 --> 00:03:07,280
‫and then see that things will work afterwards.

82
00:03:07,280 --> 00:03:09,610
‫So we're going to create this queue right here

83
00:03:09,610 --> 00:03:13,810
‫and I'm going to go now into Amazon S3, okay?

84
00:03:13,810 --> 00:03:16,297
‫And I'm going to create an S3 Bucket.

85
00:03:17,170 --> 00:03:18,090
‫And from the S3 Bucket,

86
00:03:18,090 --> 00:03:21,970
‫set up event notification to send data into our SQS Queue.

87
00:03:21,970 --> 00:03:26,970
‫So let's create a bucket across demo-sqs-queue-access-policy

88
00:03:31,230 --> 00:03:35,243
‫and I will click on create bucket.

89
00:03:38,518 --> 00:03:39,351
‫Okay.

90
00:03:39,351 --> 00:03:40,900
‫So here it is.

91
00:03:40,900 --> 00:03:43,253
‫Then I'm going to go into Properties,

92
00:03:44,220 --> 00:03:45,650
‫scroll down,

93
00:03:45,650 --> 00:03:49,190
‫find our event notifications.

94
00:03:49,190 --> 00:03:51,670
‫And I'm going to create an event notification.

95
00:03:51,670 --> 00:03:53,030
‫I'll call it it, NewObjects

96
00:03:54,150 --> 00:03:56,620
‫and for all prefix or suffix

97
00:03:56,620 --> 00:03:57,570
‫and for event types,

98
00:03:57,570 --> 00:04:00,010
‫we're gonna choose All objects create events.

99
00:04:00,010 --> 00:04:01,310
‫So perfect.

100
00:04:01,310 --> 00:04:02,530
‫Scroll down,

101
00:04:02,530 --> 00:04:06,140
‫and the destination is going to be an SQS Queue.

102
00:04:06,140 --> 00:04:07,900
‫We need to choose from the SQS Queue,

103
00:04:07,900 --> 00:04:10,000
‫so we find EventFrom S3,

104
00:04:10,000 --> 00:04:11,443
‫click on Save changes.

105
00:04:15,408 --> 00:04:17,470
‫And as we can see, we get an error

106
00:04:17,470 --> 00:04:19,610
‫because right now it is unable to validate

107
00:04:19,610 --> 00:04:22,010
‫the following destination configurations.

108
00:04:22,010 --> 00:04:25,740
‫So what we need to do is to go into this access policy

109
00:04:25,740 --> 00:04:29,230
‫and we need to modify it to allow our S3 Bucket

110
00:04:29,230 --> 00:04:32,120
‫to write into our SQS Queue.

111
00:04:32,120 --> 00:04:32,953
‫So for this,

112
00:04:32,953 --> 00:04:35,180
‫we can go directly into the documentation

113
00:04:36,280 --> 00:04:39,420
‫and see if we can find this policy for us.

114
00:04:39,420 --> 00:04:41,180
‫So we'll just do a simple Google.

115
00:04:41,180 --> 00:04:46,180
‫So S3 events into SQS access policy.

116
00:04:47,920 --> 00:04:50,120
‫And they should give us access to what we need.

117
00:04:50,120 --> 00:04:52,050
‫So, okay, perfect.

118
00:04:52,050 --> 00:04:54,240
‫We have event notifications.

119
00:04:54,240 --> 00:04:58,180
‫And then I'm going to go into Amazon SQS.

120
00:04:58,180 --> 00:05:01,270
‫So granting permissions.

121
00:05:01,270 --> 00:05:02,370
‫Here we go.

122
00:05:02,370 --> 00:05:04,367
‫Configuring SQS and SNS.

123
00:05:04,367 --> 00:05:07,890
‫And then we're going to add this.

124
00:05:07,890 --> 00:05:11,510
‫And here is the policy document that we need to set up

125
00:05:11,510 --> 00:05:13,210
‫for our SQS Queue.

126
00:05:13,210 --> 00:05:14,410
‫So I'm going to copy it,

127
00:05:16,010 --> 00:05:16,843
‫edit this,

128
00:05:18,050 --> 00:05:19,800
‫and I'm going to paste it.

129
00:05:19,800 --> 00:05:22,820
‫And so we need to change to have the QRN.

130
00:05:22,820 --> 00:05:26,070
‫So let me just do a small, dirty edit right here.

131
00:05:26,070 --> 00:05:29,350
‫But the resource QRN have to copy from here

132
00:05:31,430 --> 00:05:32,800
‫and paste it there.

133
00:05:32,800 --> 00:05:34,050
‫Okay.

134
00:05:34,050 --> 00:05:38,340
‫And then we to say that the condition is that ArnLike,

135
00:05:38,340 --> 00:05:40,300
‫the source bucket has to be named just

136
00:05:40,300 --> 00:05:41,133
‫like our source bucket,

137
00:05:41,133 --> 00:05:44,383
‫so let's find the name of our source bucket right here,

138
00:05:45,250 --> 00:05:48,670
‫that we will copy into this policy.

139
00:05:48,670 --> 00:05:51,380
‫And the source account owner is the accounts

140
00:05:51,380 --> 00:05:52,470
‫we have right now.

141
00:05:52,470 --> 00:05:54,440
‫So I'm going to go right here,

142
00:05:54,440 --> 00:05:57,560
‫find my account ID which is right here,

143
00:05:57,560 --> 00:06:01,660
‫copy it and paste it.

144
00:06:01,660 --> 00:06:04,900
‫So this policy, and I need to delete the old one.

145
00:06:04,900 --> 00:06:09,620
‫So this policy allows our S3 Bucket to send a message

146
00:06:09,620 --> 00:06:11,580
‫into our SQS Queue.

147
00:06:11,580 --> 00:06:12,660
‫Fairly good.

148
00:06:12,660 --> 00:06:14,560
‫We'll save this.

149
00:06:14,560 --> 00:06:16,680
‫And it is not a valid JSON

150
00:06:16,680 --> 00:06:18,943
‫because I'm missing a comma.

151
00:06:20,050 --> 00:06:21,510
‫Click on save.

152
00:06:21,510 --> 00:06:22,630
‫And here we go.

153
00:06:22,630 --> 00:06:24,870
‫So now with this new policy,

154
00:06:24,870 --> 00:06:27,863
‫let's see if we can save our event notification.

155
00:06:29,040 --> 00:06:30,280
‫And yes we can.

156
00:06:30,280 --> 00:06:32,520
‫So this was completed successfully.

157
00:06:32,520 --> 00:06:35,190
‫And actually if you go into Amazon SQS

158
00:06:35,190 --> 00:06:37,480
‫and you're going to send and receive messages,

159
00:06:37,480 --> 00:06:38,800
‫there's one message that is available,

160
00:06:38,800 --> 00:06:40,260
‫we can pull for it,

161
00:06:40,260 --> 00:06:42,480
‫look at it and see that the test event

162
00:06:42,480 --> 00:06:45,960
‫was sent by Amazon is free into our SQS Queue.

163
00:06:45,960 --> 00:06:46,793
‫So that's it,

164
00:06:46,793 --> 00:06:47,626
‫really for this hands-on

165
00:06:47,626 --> 00:06:50,190
‫we could, if we wanted to upload a message,

166
00:06:50,190 --> 00:06:53,700
‫upload a file into Amazon is free and see it into SQS.

167
00:06:53,700 --> 00:06:55,360
‫But what I want to show you here

168
00:06:55,360 --> 00:06:58,390
‫is that the fact that by modifying an access policy,

169
00:06:58,390 --> 00:07:01,410
‫we did provide access from our S3 Bucket

170
00:07:01,410 --> 00:07:02,850
‫into our SQS Queue,

171
00:07:02,850 --> 00:07:04,690
‫and this is the effect we wanted.

172
00:07:04,690 --> 00:07:05,910
‫So that's it for this lecture.

173
00:07:05,910 --> 00:07:06,810
‫I hope you liked it.

174
00:07:06,810 --> 00:07:08,760
‫And I will see you in the next lecture.