Listen to this Post
When designing scalable cloud architectures, segregating components into separate AWS accounts provides clear isolation and simplifies access control. This approach is particularly effective for event-driven architectures, where services like Amazon SNS, EventBridge, Lambda, and SQS enable seamless cross-account communication.
Chanaka Supun’s guide demonstrates how to implement this setup, ensuring secure and efficient interactions between distributed components.
Read the full guide here:
Event Driven Architecture with Amazon API Gateway, Event Bridge, Lambda, SNS, SQS in Multi-Account
You Should Know:
1. Cross-Account SNS Subscription
To allow an SNS topic in Account A to trigger a Lambda function in Account B:
Account A (SNS Owner):
aws sns add-permission \ --topic-arn arn:aws:sns:us-east-1:ACCOUNT_A_ID:MyTopic \ --label LambdaAccess \ --aws-account-id ACCOUNT_B_ID \ --action-name Publish
Account B (Lambda Subscriber):
aws lambda add-permission \ --function-name MyFunction \ --statement-id SNS-Invoke-Permission \ --action lambda:InvokeFunction \ --principal sns.amazonaws.com \ --source-arn arn:aws:sns:us-east-1:ACCOUNT_A_ID:MyTopic
2. EventBridge Cross-Account Rule
To forward events from Account A to Account B via EventBridge:
Account A (Event Source):
aws events put-rule \
--name CrossAccountRule \
--event-pattern '{"source": ["my.application"]}' \
--state ENABLED
Account B (Event Target):
aws events put-permission \ --action events:PutEvents \ --principal ACCOUNT_A_ID \ --statement-id AllowAccountA
3. SQS Queue for Decoupled Processing
Set up an SQS queue in Account B and grant Account A permission to send messages:
Account B (Queue Owner):
aws sqs set-queue-attributes \
--queue-url https://sqs.us-east-1.amazonaws.com/ACCOUNT_B_ID/MyQueue \
--attributes '{"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::ACCOUNT_A_ID:root\"},\"Action\":\"sqs:SendMessage\",\"Resource\":\"arn:aws:sqs:us-east-1:ACCOUNT_B_ID:MyQueue\"}]}"}'
What Undercode Say
Implementing multi-account event-driven architectures enhances security and scalability. Key takeaways:
– Use AWS Resource Access Manager (RAM) for shared VPCs.
– AWS Organizations simplifies multi-account policy management.
– CloudTrail + Config ensures compliance across accounts.
– Cross-account IAM roles reduce credential exposure.
For Linux/Windows admins, integrate CLI automation:
List cross-account S3 buckets aws s3 ls --profile AccountB Assume cross-account role aws sts assume-role --role-arn arn:aws:iam::ACCOUNT_B_ID:role/Admin --role-session-name AdminSession
Expected Output:
A secure, decoupled multi-account AWS environment with auditable event flows.
References:
Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
