Subscribe SQS to a SNS topic in another AWS account with CloudFormation, and gotchas!

You can become a serverless blackbelt. Enrol to my 4-week online workshop Production-Ready Serverless and gain hands-on experience building something from scratch using serverless technologies. At the end of the workshop, you should have a broader view of the challenges you will face as your serverless architecture matures and expands. You should also have a firm grasp on when serverless is a good fit for your system as well as common pitfalls you need to avoid. Sign up now and get 15% discount with the code yanprs15!

A use case happened at work recently, where we need to subscribe a SQS queue to a SNS topic running in another AWS account. On the surface this seems like something many people would need to do, and indeed I was able to find an official tutorial pretty quickly. But the tutorial is all “click this in the SQS console, and do that in the SNS console”. We are strong believers in Infrastructure as Code and having someone do the subscription steps manually is not going to work, especially given that we’ll be repeating this process in many places.

So here’s what I learnt as I translate the tutorial steps into CloudFormation, and some gotchas I found.

First, in the SNS account, you need to add a SNS TopicPolicy to give the SQS account permission to call sns:Subscribe on the relevant topic(s).

Then, in the SQS account, you need to create:

  • SQS QueuePolicy to allow the above SNS topic to call SQS:SendMessage against the relevant SQS queue(s). The big gotcha here is that, unlike anywhere else in IAM land, the SQS action is prefixed with SQS, not the usual sqs! This might be owing to the fact that SQS is the oldest service in AWS and predates the conventions we know. Nonetheless, it was a difficult problem to track down.
  • Create the SNS Subscription in the SQS account. When you create the subscription in the SQS account, you don’t need to explicitly confirm the subscription. If you create the SNS subscription in the SNS account, then a confirm subscription message is sent to the SQS queue first, which you would need to handle to confirm the subscription.

All in all, it was pretty straight forward once I figured out the magic incantation to make it work.

Another behaviour difference that I didn’t anticipate was how the SNS Filter Policy affects the structure of the message I would receive in the SQS queue.

If I publish the following message to the SNS topic.

If Filter Policy is not set on the subscription then the SQS queue would receive a message like this:

The SNS message attributes are included as part of the JSON message body.

And not in the SQS message attributes.

If Filter Policy is set on the SNS subscription, then the SQS queue would receive a message like this instead:

And the SNS message attributes are forwarding on as SQS message attributes.

Again, this behavioural difference seems pretty random. By filtering what messages I choose to receive I somehow receive messages in a completely different format…

Anyhow, I hope you find this useful, and hopefully it saves you half an hour of head scratching!

Liked this article? Support me on Patreon and get direct help from me via a private Slack channel or 1-2-1 mentoring.
Subscribe to my newsletter


Hi, I’m Yan. I’m an AWS Serverless Hero and I help companies go faster for less by adopting serverless technologies successfully.

Are you struggling with serverless or need guidance on best practices? Do you want someone to review your architecture and help you avoid costly mistakes down the line? Whatever the case, I’m here to help.

Hire me.


Skill up your serverless game with this hands-on workshop.

My 4-week Production-Ready Serverless online workshop is back!

This course takes you through building a production-ready serverless web application from testing, deployment, security, all the way through to observability. The motivation for this course is to give you hands-on experience building something with serverless technologies while giving you a broader view of the challenges you will face as the architecture matures and expands.

We will start at the basics and give you a firm introduction to Lambda and all the relevant concepts and service features (including the latest announcements in 2020). And then gradually ramping up and cover a wide array of topics such as API security, testing strategies, CI/CD, secret management, and operational best practices for monitoring and troubleshooting.

If you enrol now you can also get 15% OFF with the promo code “yanprs15”.

Enrol now and SAVE 15%.


Check out my new podcast Real-World Serverless where I talk with engineers who are building amazing things with serverless technologies and discuss the real-world use cases and challenges they face. If you’re interested in what people are actually doing with serverless and what it’s really like to be working with serverless day-to-day, then this is the podcast for you.


Check out my new course, Learn you some Lambda best practice for great good! In this course, you will learn best practices for working with AWS Lambda in terms of performance, cost, security, scalability, resilience and observability. We will also cover latest features from re:Invent 2019 such as Provisioned Concurrency and Lambda Destinations. Enrol now and start learning!


Check out my video course, Complete Guide to AWS Step Functions. In this course, we’ll cover everything you need to know to use AWS Step Functions service effectively. There is something for everyone from beginners to more advanced users looking for design patterns and best practices. Enrol now and start learning!