Your AWS account (111111111111) owns an SQS queue in us-east-2 Region which is used to store messages, and downstream applications get messages from the queue for processing. At the moment, EC2 instances in another AWS account (222222222222) need to send messages to the queue. You want to give access to these instances on the condition that the IP range is 203.0.113.0/24. How would you configure the SQS queue?

Answer options:

A.In AWS Management Console, click the Add a Permission button. Select account 222222222222 as the Resource, allow the SQS SendMessage action and add an IpAddress condition.
B.In AWS Management Console, click the Add a Permission button. Select account 222222222222 as the Principal, allow all SQS actions and add an NotIpAddress condition.
C.Configure the SQS access policy as below:
{
 "Version": "2012-10-17",
 "Id": "QueuePolicy",
 "Statement" : [{
"Sid": "1",
"Effect": "Deny",
"Principal": {
 "AWS": [
"222222222222"
 ]
},
"Action": [
 "sqs:*"
],
"Resource": "arn:aws:sqs:us-east-2:111111111111:ExampleQueue",
"Condition": {
 "IpAddress": {
"AWS:NotIpAddress": "203.0.113.0/24"
 }
}
 }]
}
D.Modify the SQS queue policy as below:
{
 "Version": "2012-10-17",
 "Id": "QueuePolicy",
 "Statement" : [{
"Sid": "1",
"Effect": "Allow",
"Principal": {
 "AWS": [
"222222222222"
 ]
},
"Action": [
 "sqs:SendMessage",
 "sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-2:111111111111:ExampleQueue",
"Condition": {
 "IpAddress": {
"AWS:SourceIp": "203.0.113.0/24"
 }
}
 }]
}

Correct Answer – D
In order to control the SQS queue access, users can update the SQS access policy. References and examples can be found in https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html#sqs-creating-custom-policies-key-concepts and
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies-access-policy-examples.html.
Option A is incorrect: Users can click the Add a Permission button to quickly update the policy. However, the account 222222222222 should be configured as the Principal instead of Resource.
Option B is incorrect: Because the policy should not allow all SQS actions, and the NotIpAddress condition is incorrect.
Option C is incorrect: Because the policy only contains explicit deny. It should also include a statement to explicit allow.
Option D is CORRECT: Because this policy allows the AWS account 222222222222 to send messages to the queue on the condition that the IP range is 203.0.113.0/24.