AWS Certified Solutions Architect – Associate (SAA-C03) — Question 720

A development team is collaborating with another company to create an integrated product. The other company needs to access an Amazon Simple Queue Service (Amazon SQS) queue that is contained in the development team's account. The other company wants to poll the queue without giving up its own account permissions to do so.

How should a solutions architect provide access to the SQS queue?

Answer options

• A. Create an instance profile that provides the other company access to the SQS queue.
• B. Create an IAM policy that provides the other company access to the SQS queue.
• C. Create an SQS access policy that provides the other company access to the SQS queue.
• D. Create an Amazon Simple Notification Service (Amazon SNS) access policy that provides the other company access to the SQS queue.

Correct answer: C

Explanation

An SQS access policy is a resource-based policy that allows direct cross-account access to an SQS queue without requiring the external party to assume an IAM role. IAM policies (Option B) are identity-based and cannot grant cross-account access on their own without role assumption, while instance profiles (Option A) are used to assign permissions to EC2 instances. SNS access policies (Option D) govern access to SNS topics, not SQS queues.