How should a solutions architect provide access to the SQS queue?
Create an instance profile that provides the other company access to the SQS queue.
Create an IAM policy that provides the other company access to the SQS queue.
Create an SQS access policy that provides the other company access to the SQS queue.
Create an Amazon Simple Notification Service (Amazon SNS) access policy that provides the other company access to the SQS queue.
Explanations:
An instance profile is primarily used for EC2 instances to grant them permissions to interact with AWS services. It does not provide direct access to an SQS queue for external accounts.
An IAM policy can grant permissions for SQS actions but needs to be attached to an IAM role or user within the other company’s account. This does not provide access without compromising the other company’s account permissions.
An SQS access policy allows the queue owner to specify which AWS accounts or IAM users can perform actions on the queue. This method provides the required permissions to the other company without compromising their account permissions.
An SNS access policy pertains to permissions for SNS topics, not directly to SQS queues. While SNS can trigger SQS, this does not grant the other company access to the SQS queue itself.
From what I’ve heard, the answer is:
Create an SQS access policy that provides the other company access to the SQS queue.
I opine that the answer is:
Create an SQS access policy that provides the other company access to the SQS queue.