A development team is collaborating with another company that needs to poll an Amazon Simple Queue Service (Amazon SQS) queue in the development team's AWS account. The other company wants to poll the queue without using the development team's account permissions. How should a solutions architect grant access to the SQS queue?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an SQS access policy that provides the other company access to the SQS queue..
Why this is the answer
The correct solution is to create an SQS access policy. SQS queue policies are resource-based policies that allow you to grant permissions directly on the SQS queue itself. This enables cross-account access, allowing the other company's AWS account (identified by its ARN) to perform actions like sqs:ReceiveMessage on your queue without needing your account's IAM roles or users. Creating an instance profile is incorrect because instance profiles are used to grant permissions to EC2 instances within your own account, not to external AWS accounts. Creating an IAM policy is incorrect because while IAM policies define permissions, they are identity-based and attached to users, groups, or roles within your account. To grant cross-account access to a specific resource like an SQS queue, a resource-based policy (like an SQS access policy) is more appropriate and direct. Creating an Amazon SNS access policy is incorrect because SNS policies manage permissions for SNS topics, not SQS queues.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed