How do I create a subscription between my Amazon SQS queue and an Amazon SNS topic in CloudFormation?

5 minute read

I want to create a subscription between my Amazon Simple Queue Service (Amazon SQS) queue and Amazon Simple Notification Service (Amazon SNS) topic in AWS CloudFormation.

Resolution

If the topic and queue are in the same stack, then use a CloudFormation template to create a topic that sends messages to SQS queues.

If the topic is in one stack and the queue is in another, then create a cross-stack reference. Both stacks must be in the same AWS Region. When you create a cross-stack reference, export the ARN of the SQS queue in one stack. Then, import the ARN in the subscription endpoint property of the SNS topic in the other stack.

If your SNS topic and SQS queue are in different Regions or AWS accounts, then use AWS::SNS::Subscription to set up either a cross-account or cross-Region subscription.

Set up a cross-account subscription

Configure Account A

In the CloudFormation template for the source stack, configure the following settings:

Under Parameters, for Description, enter the destination account ID.
For Resources, declare the AWS::SNS::Topic and AWS::SNS::TopicPolicy.
Create an Outputs section to return the SNS TopicArn.

Example JSON template:

{
  "Parameters": {
    "CrossAccountNumber": {
      "AllowedPattern": "[0-9]+",
      "Description": "The 12 digit AWS account number to grant access to.",
      "MaxLength": "12",
      "MinLength": "12",
      "Type": "String",
      "Default": 123456789101
    }
  },
  "Resources": {
    "SnsTopic": {
      "Type": "AWS::SNS::Topic"
    },
    "SnsTopicPolicy": {
      "Type": "AWS::SNS::TopicPolicy",
      "DependsOn": "SnsTopic",
      "Properties": {
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "SnsTopicPolicy",
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::Sub": "arn:aws:iam::${CrossAccountNumber}:root"
                }
              },
              "Action": [
                "sns:Subscribe"
              ],
              "Resource": {
                "Ref": "SnsTopic"
              }
            }
          ]
        },
        "Topics": [
          {
            "Ref": "SnsTopic"
          }
        ]
      }
    }
  },
  "Outputs": {
    "SnsTopicArn": {
      "Value": {
        "Ref": "SnsTopic"
      }
    }
  }
}

Example YAML template:

Parameters:
 CrossAccountNumber:
  AllowedPattern: '[0-9]+'
  Description: The 12 digit AWS account number to grant access to.
  MaxLength: '12'
  MinLength: '12'
  Type: String
  Default: 123456789101
Resources:
 SnsTopic:
  Type: AWS::SNS::Topic
 SnsTopicPolicy:
  Type: AWS::SNS::TopicPolicy
  DependsOn: SnsTopic
  Properties:
   PolicyDocument:
    Version: '2012-10-17'
    Statement:
    - Sid: SnsTopicPolicy
      Effect: Allow
      Principal:
       AWS: !Sub arn:aws:iam::${CrossAccountNumber}:root
      Action:
       - sns:Subscribe
      Resource: !Ref SnsTopic
   Topics:
    - !Ref SnsTopic
Outputs:
 SnsTopicArn:
  Value: !Ref SnsTopic

Configure Account B

In the CloudFormation template for the destination stack, for Resources, declare the AWS::SNS::Subscription resource, the AWS::SQS::Queue, and the AWS::SQS::QueuePolicy.

Example JSON template:

{
 "Parameters": {
  "SNSTopicARN": {
   "Type": "String",
   "Default": "awsSNSTopicArn"
  },
  "TopicRegion": {
   "Type": "String",
   "Default": "us-east-1"
  }
 },
 "Resources": {
  "Queue": {
   "Type": "AWS::SQS::Queue"
  },
  "SqsQueuePolicy": {
   "Type": "AWS::SQS::QueuePolicy",
   "Properties": {
    "PolicyDocument": {
     "Version": "2012-10-17",
     "Id": "MyQueuePolicy",
     "Statement": [
      {
       "Sid": "Allow-SNS-SendMessage",
       "Effect": "Allow",
       "Principal": "*",
       "Action": [
        "sqs:SendMessage"
       ],
       "Resource": {
        "Fn::GetAtt": [
         "Queue",
         "Arn"
        ]
       },
       "Condition": {
        "ArnEquals": {
         "aws:SourceArn": {
          "Ref": "SNSTopicARN"
         }
        }
       }
      }
     ]
    },
    "Queues" : [
     {
      "Ref" : "Queue"
     }
    ]
   }
  },
  "SnsSubscription": {
   "Type": "AWS::SNS::Subscription",
   "Properties": {
    "Protocol": "sqs",
    "Endpoint": {
     "Fn::GetAtt": [
      "Queue",
      "Arn"
     ]
    },
    "Region": {
     "Ref": "TopicRegion"
    },
    "TopicArn": {
     "Ref": "SNSTopicARN"
    }
   }
  }
 }
}

Example YAML template:

Parameters:
 SNSTopicARN:
  Type: String
  Default: awsSNSTopicArn
 TopicRegion:
  Type: String
  Default: us-east-1
Resources:
 Queue:
  Type: AWS::SQS::Queue
 SqsQueuePolicy:
  Type: AWS::SQS::QueuePolicy
  Properties:
   PolicyDocument:
    Version: '2012-10-17'
    Id: MyQueuePolicy
    Statement:
    - Sid: Allow-SNS-SendMessage
      Effect: Allow
      Principal: "*"
      Action:
      - sqs:SendMessage
      Resource: !GetAtt Queue.Arn
      Condition:
       ArnEquals:
        aws:SourceArn: !Ref SNSTopicARN
   Queues:
    - !Ref Queue
 SnsSubscription:
  Type: AWS::SNS::Subscription
  Properties:
   Protocol: sqs
   Endpoint: !GetAtt Queue.Arn
   Region: !Ref TopicRegion
   TopicArn: !Ref SNSTopicARN

Note: In the preceding example templates, under Parameters, replace awsSNSTopicArn with your SNS topic ARN. Also, replace us-east-1 with the Region of the stack in the source account (Account A).

Set up a cross-Region subscription

Configure Region A

In the CloudFormation template for the stack in one Region, configure the following settings:

For Resources, declare the AWS::SNS::Topic.
Create an Outputs section to return the SnsTopicArn.

Example JSON template:

{
 "Resources": {
  "SnsTopic": {
   "Type": "AWS::SNS::Topic"
  }
 },
 "Outputs": {
  "SnsTopicArn": {
   "Value": {
     "Ref": "SnsTopic"
   }
  }
 }
}

Example YAML template:

Resources:
  SnsTopic:
    Type: AWS::SNS::Topic
Outputs:
  SnsTopicArn:
    Value: !Ref SnsTopic

Configure Region B

In the CloudFormation template for the stack in the other Region, for Resources, declare the AWS::SNS::Subscription resource and AWS::SQS::Queue.

Example JSON template:

{
 "Parameters": {
  "SNSTopicARN": {
   "Type": "String",
   "Default": "awsSNSTopicArnExample"
  },
  "TopicRegion": {
   "Type": "String",
   "Default": "us-east-1"
  }
 },
 "Resources": {
  "Queue": {
   "Type": "AWS::SQS::Queue"
  },
  "SnsSubscription": {
   "Type": "AWS::SNS::Subscription",
   "Properties": {
    "Protocol": "sqs",
    "Endpoint": {
     "Fn::GetAtt": [
      "Queue",
      "Arn"
     ]
    },
    "Region": {
     "Ref": "TopicRegion"
    },
    "TopicArn": {
     "Ref": "SNSTopicARN"
    }
   }
  }
 }
}

Example YAML template:

Parameters:
  SNSTopicARN:
    Type: String
    Default: awsSNSTopicArnExample 
  TopicRegion:
    Type: String
    Default: us-east-1

Resources:
  Queue:
    Type: AWS::SQS::Queue

  SnsSubscription:
    Type: AWS::SNS::Subscription
    Properties:
      Protocol: sqs
      Endpoint: !GetAtt Queue.Arn
      Region: !Ref TopicRegion
      TopicArn: !Ref SNSTopicARN

Note: In the preceding example templates, under Parameters, replace awsSNSTopicArnExample with your SNS topic ARN. Also, replace us-east-1 with the Region of the stack from Region A.

Topics: Management & Governance
Tags: AWS CloudFormation
Language: English

AWS OFFICIALUpdated a year ago

No comments

Relevant content

CloudFormation Nonsense: Seven (7) SNS Subscriptions created for SQS Queues by a Template
eduardo_j_yanez_p
asked 4 years ago
Subscribing to SNS topic in another account/region not working for SQS queue via CloudFormation yaml template, but working through AWS console.
AWS-User-9785916
asked 3 months ago
Is it possible to limit sns:Subscribe in the SNS topic's access policy to a specific SQS queue ARN for cross-account subscriptions?
rePost-User-2581820
asked 2 years ago
Is it possible to get a SQS subscription's ARN using CDK?
mjsztainbok
asked 4 years ago
Why would an SQS subscription stop working?
Accepted Answer
Nathan
asked a year ago
How do I recreate a "Deleted" Amazon SNS topic subscription for an Amazon SQS queue in another AWS account?
AWS OFFICIALUpdated 2 years ago
How can I get my Amazon SQS subscription to successfully receive a notification from my Amazon SNS topic?
AWS OFFICIALUpdated 2 years ago
How do I resolve an “authorization error" when attempting to view or modify a cross-account SQS subscription's attributes on the Amazon SNS console?
AWS OFFICIALUpdated 3 years ago
How do I configure my cross-account Amazon SQS endpoint to the Amazon SNS topic ?
AWS OFFICIALUpdated a year ago
Message routing based on IoT device registry attribute
EXPERT
Steve Krems
published a year ago