Skip to content

Commit

Permalink
feat: add GetQueueAttributes to SQS policy (#11)
Browse files Browse the repository at this point in the history 
For AWS ControlTower integration using SSO, "sqs:GetQueueAttributes" is required. While as of 0.15 this permission is added to the cross-account role policy, it has not yet been added to the SQS Access Policy, causing CloudTrail integration to encounter 403 errors.

**How did you test this change?**

Replicated issue in a personal account and ControlTower using SSO, updated Access Policy for SQS queue manually to add sqs:GetQueueAttributes permission for the cross-account role, and CloudTrail integration began populating without errors.
  • Loading branch information
Gilbert Stawny authored Mar 8, 2022
1 parent 2392419 commit 72f69a3
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,8 @@ resource "aws_sqs_queue_policy" "lacework_sqs_queue_policy" {
},
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes"
],
"Resource": "${aws_sqs_queue.lacework_cloudtrail_sqs_queue.arn}"
}
Expand Down

0 comments on commit 72f69a3

Please sign in to comment.