Configure AWS SQS Queue for Access by EC2 Instances in Another AWS Account

Correct Answer - D.

In order to control the SQS queue access, users can update the SQS access policy.

References and examples can be found in https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html#sqs-creating-custom-policies-key-concepts and.

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies-access-policy-examples.html.

Option A is incorrect: Users can click the Add a Permission button to quickly update the policy.

However, the account 222222222222 should be configured as the Principal instead of Resource.

Option B is incorrect: Because the policy should not allow all SQS actions, and the NotIpAddress condition is incorrect.

Option C is incorrect: Because the policy only contains explicit deny.

It should also include a statement to explicit allow.

Option D is CORRECT: Because this policy allows the AWS account 222222222222 to send messages to the queue on the condition that the IP range is 203.0.113.0/24.

The correct answer is D: Modify the SQS queue policy as shown below:

jsonCopy code
{  "Version": "2012-10-17",  "Id": "QueuePolicy",  "Statement" : [{     "Sid": "1",     "Effect": "Allow",     "Principal": {      "AWS": [         "222222222222"      ]     },     "Action": [      "sqs:SendMessage",      "sqs:ReceiveMessage"     ],     "Resource": "arn:aws:sqs:us-east-2:111111111111:ExampleQueue",     "Condition": {      "IpAddress": {         "AWS:SourceIp": "203.0.113.0/24"      }     }  }] } 

Explanation:

The scenario describes a requirement where EC2 instances in a different AWS account need to send messages to an SQS queue owned by another AWS account. The requirement also states that access should be granted only to instances in a specific IP range.

To achieve this requirement, we need to modify the SQS access policy. The access policy is a JSON document that specifies who can access the SQS queue and what actions they can perform.

The correct answer is D because it allows EC2 instances in the specified IP range to perform SendMessage and ReceiveMessage actions on the SQS queue.

The policy contains the following elements:

• Version: Specifies the access policy version. The current version is "2012-10-17".
• Id: An optional identifier for the policy statement.
• Statement: An array of policy statements, each containing an "Effect", "Principal", "Action", "Resource", and "Condition".

The Statement element in the policy contains the following elements:

• Sid: An optional identifier for the statement.
• Effect: Specifies whether the statement allows or denies access. In this case, the effect is "Allow".
• Principal: Specifies the AWS account or IAM user or role that is allowed or denied access. In this case, the principal is the AWS account 222222222222.
• Action: Specifies the action or actions that are allowed or denied. In this case, the action is "sqs:SendMessage" and "sqs:ReceiveMessage".
• Resource: Specifies the ARN of the resource that the statement applies to. In this case, the resource is the SQS queue arn:aws:sqs:us-east-2:111111111111:ExampleQueue.
• Condition: Specifies additional conditions that must be met for the statement to apply. In this case, the condition is "IpAddress" and the allowed source IP range is "203.0.113.0/24".

Therefore, the correct answer is D because it provides the required access to the SQS queue while also enforcing the IP address restriction. Answer A is incorrect because it does not specify the principal and the action is allowed instead of being restricted. Answer B is incorrect because it allows all SQS actions instead of restricting them and uses the "NotIpAddress" condition instead of "SourceIp". Answer C is incorrect because it denies all actions and does not include the correct "SourceIp" condition.