# Fanout Amazon SNS notifications to Amazon SQS queues for asynchronous processing
[Amazon SNS](https://aws.amazon.com/sns/) works closely with Amazon Simple Queue Service (Amazon SQS). These services provide different benefits for developers. Amazon SNS allows applications to send time-critical messages to multiple subscribers through a “push” mechanism, eliminating the need to periodically check or “poll” for updates. Amazon SQS is a message queue service used by distributed applications to exchange messages through a polling model, and can be used to decouple sending and receiving components—without requiring each component to be concurrently available. Using Amazon SNS and Amazon SQS together, messages can be delivered to applications that require immediate notification of an event, and also persisted in an Amazon SQS queue for other applications to process at a later time.
When you subscribe an Amazon SQS queue to an Amazon SNS topic, you can publish a message to the topic and Amazon SNS sends an Amazon SQS message to the subscribed queue. The Amazon SQS message contains the subject and message that were published to the topic along with metadata about the message in a JSON document. The Amazon SQS message will look similar to the following JSON document.
```
{
"Type" : "Notification",
"MessageId" : "63a3f6b6-d533-4a47-aef9-fcf5cf758c76",
"TopicArn" : "arn:aws:sns:us-west-2:123456789012:MyTopic",
"Subject" : "Testing publish to subscribed queues",
"Message" : "Hello world!",
"Timestamp" : "2012-03-29T05:12:16.901Z",
"SignatureVersion" : "1",
"Signature" : "EXAMPLEnTrFPa3...",
"SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem",
"UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:MyTopic:c7fe3a54-ab0e-4ec2-88e0-db410a0f2bee"
}
```
# Subscribing an Amazon SQS queue to an Amazon SNS topic
To enable an Amazon SNS topic to send messages to an Amazon SQS queue, choose one of the following:
+ Use the [Amazon SQS console](https://console.aws.amazon.com/sqs/), which simplifies the process. For more information, see [Subscribing an Amazon SQS queue to an Amazon SNS topic](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-subscribe-queue-sns-topic.html) in the *Amazon Simple Queue Service Developer Guide*.
+ Use the following steps:
1. [Get the Amazon Resource Name (ARN) of the queue you want to send messages to and the topic to which you want to subscribe the queue.](#SendMessageToSQS.arn)
1. [Give `sqs:SendMessage` permission to the Amazon SNS topic so that it can send messages to the queue.](#SendMessageToSQS.sqs.permissions)
1. [Subscribe the queue to the Amazon SNS topic.](#SendMessageToSQS.subscribe)
1. [Give IAM users or AWS accounts the appropriate permissions to publish to the Amazon SNS topic and read messages from the Amazon SQS queue.](#SendMessageToSQS.iam.permissions)
1. [Test it out by publishing a message to the topic and reading the message from the queue.](#SendMessageToSQS.test)
To learn about how to set up a topic to send messages to a queue that is in a different AWS-account, see [Sending Amazon SNS messages to an Amazon SQS queue in a different account](sns-send-message-to-sqs-cross-account.md).
To see an CloudFormation template that creates a topic that sends messages to two queues, see [Automate Amazon SNS to Amazon SQS messaging with AWS CloudFormation](SendMessageToSQS.cloudformation.md).
## Step 1: Get the ARN of the queue and topic
When subscribing a queue to your topic, you'll need a copy of the ARN for the queue. Similarly, when giving permission for the topic to send messages to the queue, you'll need a copy of the ARN for the topic.
To get the queue ARN, you can use the Amazon SQS console or the [GetQueueAttributes](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/Query_QueryGetQueueAttributes.html) API action.
**To get the queue ARN from the Amazon SQS console**
1. Sign in to the AWS Management Console and open the Amazon SQS console at [https://console.aws.amazon.com/sqs/](https://console.aws.amazon.com/sqs/).
1. Select the box for the queue whose ARN you want to get.
1. From the **Details** section, copy the ARN value so that you can use it to subscribe to the Amazon SNS topic.
To get the topic ARN, you can use the Amazon SNS console, the `[sns-get-topic-attributes](https://docs.aws.amazon.com/cli/latest/reference/sns/get-topic-attributes.html)` command, or the `[GetQueueAttributes](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/Query_QueryGetQueueAttributes.html)` API action.
**To get the topic ARN from the Amazon SNS console**
1. Sign in to the [Amazon SNS console](https://console.aws.amazon.com/sns/home).
1. On the navigation panel, choose the topic whose ARN you want to get.
1. From the **Details** section, copy the **ARN** value so that you can use it to give permission for the Amazon SNS topic to send messages to the queue.
## Step 2: Give permission to the Amazon SNS topic to send messages to the Amazon SQS queue
For an Amazon SNS topic to be able to send messages to a queue, you must set a policy on the queue that allows the Amazon SNS topic to perform the `sqs:SendMessage` action.
Before you subscribe a queue to a topic, you need a topic and a queue. If you haven't already created a topic or queue, create them now. For more information, see [Creating a topic](sns-create-topic.md), and see [Create a queue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/step-create-queue.html) in the *Amazon Simple Queue Service Developer Guide*.
To set a policy on a queue, you can use the Amazon SQS console or the [SetQueueAttributes](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/Query_QuerySetQueueAttributes.html) API action. Before you start, make sure you have the ARN for the topic that you want to allow to send messages to the queue. If you are subscribing a queue to multiple topics, your policy must contain one `Statement` element for each topic.
**To set a SendMessage policy on a queue using the Amazon SQS console**
1. Sign in to the AWS Management Console and open the Amazon SQS console at [https://console.aws.amazon.com/sqs/](https://console.aws.amazon.com/sqs/).
1. Select the box for the queue whose policy you want to set, choose the **Access policy** tab, and then choose **Edit**.
1. In the **Access policy** section, define who can access your queue.
+ Add a condition that allows the action for the topic.
+ Set `Principal` to be the Amazon SNS service, as shown in the example below.
+ Use the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) or [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition keys to protect against the [confused deputy](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) scenario. To use these condition keys, set the value to the ARN of your topic. If your queue is subscribed to multiple topics, you can use `aws:SourceAccount` instead.
For example, the following policy allows MyTopic to send messages to MyQueue.
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-2:123456789012:MyQueue",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:sns:us-east-2:123456789012:MyTopic"
}
}
}
]
}
```
## Step 3: Subscribe the queue to the Amazon SNS topic
To send messages to a queue through a topic, you must subscribe the queue to the Amazon SNS topic. You specify the queue by its ARN. To subscribe to a topic, you can use the Amazon SNS console, the `[sns-subscribe](https://docs.aws.amazon.com/cli/latest/reference/sns/subscribe.html)` CLI command, or the `[Subscribe](https://docs.aws.amazon.com/sns/latest/api/API_Subscribe.html)` API action. Before you start, make sure you have the ARN for the queue that you want to subscribe.
1. Sign in to the [Amazon SNS console](https://console.aws.amazon.com/sns/home).
1. On the navigation panel, choose **Topics**.
1. On the **Topics** page, choose a topic.
1. On the ***MyTopic*** page, in the **Subscriptions** page, choose **Create subscription**.
1. On the **Create subscription** page, in the **Details** section, do the following:
1. Verify the **Topic ARN**.
1. For **Protocol**, choose **Amazon SQS**.
1. For **Endpoint**, enter the ARN of an Amazon SQS queue.
1. Choose **Create Subscription**.
When the subscription is confirmed, your new subscription's **Subscription ID** displays its subscription ID. If the owner of the queue creates the subscription, the subscription is automatically confirmed and the subscription should be active almost immediately.
Usually, you'll be subscribing your own queue to your own topic in your own account. However, you can also subscribe a queue from a different account to your topic. If the user who creates the subscription is not the owner of the queue (for example, if a user from account A subscribes a queue from account B to a topic in account A), the subscription must be confirmed. For more information about subscribing a queue from a different account and confirming the subscription, see [Sending Amazon SNS messages to an Amazon SQS queue in a different account](sns-send-message-to-sqs-cross-account.md).
## Step 4: Give users permissions to the appropriate topic and queue actions
You should use AWS Identity and Access Management (IAM) to allow only appropriate users to publish to the Amazon SNS topic and to read/delete messages from the Amazon SQS queue. For more information about controlling actions on topics and queues for IAM users, see [Using identity-based policies with Amazon SNS](sns-using-identity-based-policies.md), and [Identity and access management in Amazon SQS](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/UsingIAM.html) in the Amazon Simple Queue Service Developer Guide.
There are two ways to control access to a topic or queue:
+ [Add a policy to an IAM user or group](#SendMessageToSQS.iam.permissions.user). The simplest way to give users permissions to topics or queues is to create a group and add the appropriate policy to the group and then add users to that group. It's much easier to add and remove users from a group than to keep track of which policies you set on individual users.
+ [Add a policy to topic or queue](#SendMessageToSQS.iam.permissions.resource). If you want to give permissions to a topic or queue to another AWS account, the only way you can do that is by adding a policy that has as its principal the AWS account you want to give permissions to.
You should use the first method for most cases (apply policies to groups and manage permissions for users by adding or removing the appropriate users to the groups). If you need to give permissions to a user in another account, you should use the second method.
### Adding a policy to an IAM user or group
If you added the following policy to an IAM user or group, you would give that user or members of that group permission to perform the `sns:Publish` action on the topic MyTopic.
```
{
"Statement": [
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-2:123456789012:MyTopic"
}
]
}
```
If you added the following policy to an IAM user or group, you would give that user or members of that group permission to perform the `sqs:ReceiveMessage` and `sqs:DeleteMessage` actions on the queues MyQueue1 and MyQueue2.
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage"
],
"Resource": [
"arn:aws:sqs:us-east-2:123456789012:MyQueue1",
"arn:aws:sqs:us-east-2:123456789012:MyQueue2"
]
}
]
}
```
### Adding a policy to a topic or queue
The following example policies show how to give another account permissions to a topic and queue.
**Note**
When you give another AWS account access to a resource in your account, you are also giving IAM users who have admin-level access (wildcard access) permissions to that resource. All other IAM users in the other account are automatically denied access to your resource. If you want to give specific IAM users in that AWS account access to your resource, the account or an IAM user with admin-level access must delegate permissions for the resource to those IAM users. For more information about cross-account delegation, see [Enabling Cross-Account Access](https://docs.aws.amazon.com/IAM/latest/UserGuide/Delegation.html) in the *Using IAM Guide*.
If you added the following policy to a topic MyTopic in account 123456789012, you would give account 111122223333 permission to perform the `sns:Publish` action on that topic.
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "111122223333"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-2:123456789012:MyTopic"
}
]
}
```
If you added the following policy to a queue MyQueue in account 123456789012, you would give account 111122223333 permission to perform the `sqs:ReceiveMessage` and `sqs:DeleteMessage` actions on that queue.
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "111122223333"
},
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],
"Resource": [
"arn:aws:sqs:us-east-2:123456789012:MyQueue"
]
}
]
}
```
## Step 5: Test the topic's queue subscriptions
You can test a topic's queue subscriptions by publishing to the topic and viewing the message that the topic sends to the queue.
**To publish to a topic using the Amazon SNS console**
1. Using the credentials of the AWS account or IAM user with permission to publish to the topic, sign in to the AWS Management Console and open the Amazon SNS console at [https://console.aws.amazon.com/sns/](https://console.aws.amazon.com/sns/home).
1. On the navigation panel, choose the topic and choose **Publish to Topic**.
1. In the **Subject** box, enter a subject (for example, **Testing publish to queue**) in the **Message** box, enter some text (for example, **Hello world\$1**), and choose **Publish Message**. The following message appears: Your message has been successfully published.
**To view the message from the topic using the Amazon SQS console**
1. Using the credentials of the AWS account or IAM user with permission to view messages in the queue, sign in to the AWS Management Console and open the Amazon SQS console at [https://console.aws.amazon.com/sqs/](https://console.aws.amazon.com/sqs/).
1. Choose a **queue** that is subscribed to the topic.
1. Choose **Send and receive messages**, and then choose **Poll for messages**. A message with a type of **Notification** appears.
1. In the **Body** column, choose **More Details**. The **Message Details** box contains a JSON document that contains the subject and message that you published to the topic. The message looks similar to the following JSON document.
```
{
"Type" : "Notification",
"MessageId" : "63a3f6b6-d533-4a47-aef9-fcf5cf758c76",
"TopicArn" : "arn:aws:sns:us-west-2:123456789012:MyTopic",
"Subject" : "Testing publish to subscribed queues",
"Message" : "Hello world!",
"Timestamp" : "2012-03-29T05:12:16.901Z",
"SignatureVersion" : "1",
"Signature" : "EXAMPLEnTrFPa3...",
"SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem",
"UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:MyTopic:c7fe3a54-ab0e-4ec2-88e0-db410a0f2bee"
}
```
1. Choose **Close**. You have successfully published to a topic that sends notification messages to a queue.
# Automate Amazon SNS to Amazon SQS messaging with AWS CloudFormation
CloudFormation enables you to use a template file to create and configure a collection of AWS resources together as a single unit. This section has an example template that makes it easy to deploy topics that publish to queues. The templates take care of the setup steps for you by creating two queues, creating a topic with subscriptions to the queues, adding a policy to the queues so that the topic can send messages to the queues, and creating IAM users and groups to control access to those resources.
For more information about deploying AWS resources using an CloudFormation template, see [Get Started](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/GettingStarted.Walkthrough.html) in the *CloudFormation User Guide*.
## Using an CloudFormation template to set up topics and queues within an AWS account
The example template creates an Amazon SNS topic that can send messages to two Amazon SQS queues with appropriate permissions for members of one IAM group to publish to the topic and another to read messages from the queues. The template also creates IAM users that are added to each group.
You copy the template contents into a file. You can also download the template from the [AWS CloudFormation Templates page](http://aws.amazon.com/cloudformation/aws-cloudformation-templates/). On the templates page, choose **Browse sample templates by AWS service**and then choose **Amazon Simple Queue Service**.
MySNSTopic is set up to publish to two subscribed endpoints, which are two Amazon SQS queues (MyQueue1 and MyQueue2). MyPublishTopicGroup is an IAM group whose members have permission to publish to MySNSTopic using the [Publish](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) API action or [sns-publish](https://docs.aws.amazon.com/cli/latest/reference/sns/publish.html) command. The template creates the IAM users MyPublishUser and MyQueueUser and gives them login profiles and access keys. The user who creates a stack with this template specifies the passwords for the login profiles as input parameters. The template creates access keys for the two IAM users with MyPublishUserKey and MyQueueUserKey. AddUserToMyPublishTopicGroup adds MyPublishUser to the MyPublishTopicGroup so that the user will have the permissions assigned to the group.
MyRDMessageQueueGroup is an IAM group whose members have permission to read and delete messages from the two Amazon SQS queues using the [ReceiveMessage](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/Query_QueryReceiveMessage.html) and [DeleteMessage](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/Query_QueryDeleteMessage.html) API actions. AddUserToMyQueueGroup adds MyQueueUser to the MyRDMessageQueueGroup so that the user will have the permissions assigned to the group. MyQueuePolicy assigns permission for MySNSTopic to publish its notifications to the two queues.
The following listing shows the CloudFormation template contents.
```
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "AWS CloudFormation Sample Template SNSToSQS: This Template creates an SNS topic that can send messages to
two SQS queues with appropriate permissions for one IAM user to publish to the topic and another to read messages from the queues.
MySNSTopic is set up to publish to two subscribed endpoints, which are two SQS queues (MyQueue1 and MyQueue2). MyPublishUser is an IAM user
that can publish to MySNSTopic using the Publish API. MyTopicPolicy assigns that permission to MyPublishUser. MyQueueUser is an IAM user
that can read messages from the two SQS queues. MyQueuePolicy assigns those permissions to MyQueueUser. It also assigns permission for
MySNSTopic to publish its notifications to the two queues. The template creates access keys for the two IAM users with MyPublishUserKey
and MyQueueUserKey. ***Warning*** you will be billed for the AWS resources used if you create a stack from this template.",
"Parameters": {
"MyPublishUserPassword": {
"NoEcho": "true",
"Type": "String",
"Description": "Password for the IAM user MyPublishUser",
"MinLength": "1",
"MaxLength": "41",
"AllowedPattern": "[a-zA-Z0-9]*",
"ConstraintDescription": "must contain only alphanumeric characters."
},
"MyQueueUserPassword": {
"NoEcho": "true",
"Type": "String",
"Description": "Password for the IAM user MyQueueUser",
"MinLength": "1",
"MaxLength": "41",
"AllowedPattern": "[a-zA-Z0-9]*",
"ConstraintDescription": "must contain only alphanumeric characters."
}
},
"Resources": {
"MySNSTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [{
"Endpoint": {
"Fn::GetAtt": ["MyQueue1", "Arn"]
},
"Protocol": "sqs"
},
{
"Endpoint": {
"Fn::GetAtt": ["MyQueue2", "Arn"]
},
"Protocol": "sqs"
}
]
}
},
"MyQueue1": {
"Type": "AWS::SQS::Queue"
},
"MyQueue2": {
"Type": "AWS::SQS::Queue"
},
"MyPublishUser": {
"Type": "AWS::IAM::User",
"Properties": {
"LoginProfile": {
"Password": {
"Ref": "MyPublishUserPassword"
}
}
}
},
"MyPublishUserKey": {
"Type": "AWS::IAM::AccessKey",
"Properties": {
"UserName": {
"Ref": "MyPublishUser"
}
}
},
"MyPublishTopicGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"Policies": [{
"PolicyName": "MyTopicGroupPolicy",
"PolicyDocument": {
"Statement": [{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": {
"Ref": "MySNSTopic"
}
}]
}
}]
}
},
"AddUserToMyPublishTopicGroup": {
"Type": "AWS::IAM::UserToGroupAddition",
"Properties": {
"GroupName": {
"Ref": "MyPublishTopicGroup"
},
"Users": [{
"Ref": "MyPublishUser"
}]
}
},
"MyQueueUser": {
"Type": "AWS::IAM::User",
"Properties": {
"LoginProfile": {
"Password": {
"Ref": "MyQueueUserPassword"
}
}
}
},
"MyQueueUserKey": {
"Type": "AWS::IAM::AccessKey",
"Properties": {
"UserName": {
"Ref": "MyQueueUser"
}
}
},
"MyRDMessageQueueGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"Policies": [{
"PolicyName": "MyQueueGroupPolicy",
"PolicyDocument": {
"Statement": [{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],
"Resource": [{
"Fn::GetAtt": ["MyQueue1", "Arn"]
},
{
"Fn::GetAtt": ["MyQueue2", "Arn"]
}
]
}]
}
}]
}
},
"AddUserToMyQueueGroup": {
"Type": "AWS::IAM::UserToGroupAddition",
"Properties": {
"GroupName": {
"Ref": "MyRDMessageQueueGroup"
},
"Users": [{
"Ref": "MyQueueUser"
}]
}
},
"MyQueuePolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": ["sqs:SendMessage"],
"Resource": "*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": {
"Ref": "MySNSTopic"
}
}
}
}]
},
"Queues": [{
"Ref": "MyQueue1"
}, {
"Ref": "MyQueue2"
}]
}
}
},
"Outputs": {
"MySNSTopicTopicARN": {
"Value": {
"Ref": "MySNSTopic"
}
},
"MyQueue1Info": {
"Value": {
"Fn::Join": [
" ",
[
"ARN:",
{
"Fn::GetAtt": ["MyQueue1", "Arn"]
},
"URL:",
{
"Ref": "MyQueue1"
}
]
]
}
},
"MyQueue2Info": {
"Value": {
"Fn::Join": [
" ",
[
"ARN:",
{
"Fn::GetAtt": ["MyQueue2", "Arn"]
},
"URL:",
{
"Ref": "MyQueue2"
}
]
]
}
},
"MyPublishUserInfo": {
"Value": {
"Fn::Join": [
" ",
[
"ARN:",
{
"Fn::GetAtt": ["MyPublishUser", "Arn"]
},
"Access Key:",
{
"Ref": "MyPublishUserKey"
},
"Secret Key:",
{
"Fn::GetAtt": ["MyPublishUserKey", "SecretAccessKey"]
}
]
]
}
},
"MyQueueUserInfo": {
"Value": {
"Fn::Join": [
" ",
[
"ARN:",
{
"Fn::GetAtt": ["MyQueueUser", "Arn"]
},
"Access Key:",
{
"Ref": "MyQueueUserKey"
},
"Secret Key:",
{
"Fn::GetAtt": ["MyQueueUserKey", "SecretAccessKey"]
}
]
]
}
}
}
}
```