just to confirm: its the daemon process that runs the sensors and so if the sensor reads from an SQS queue, it is the daemon only that needs access to that queue?

that's correct

turns out its the user code that needs the permissions(???). I having issues now trying to hook into the secrets management stuff I've given the user_code task execution_role access to the secrets manager but its failing to start the container

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): failed to fetch secret arn:aws:secretsmanager:ap-southeast-1:...:SOMTHING-blah from secrets manager

I'll try the daemon execution role and then the tasks roles and then... not sure. The documentation for the AWS/ECS need to be updated to include the permissions needed to get it going or at least a full working example. I'll publish my CDK script somewhere once i get it working (if you like).