Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I troubleshoot Amazon SQS queue access issues with a Deny queue policy?
I lost access to my Amazon Simple Queue Service (Amazon SQS) queue because of a Deny queue policy.
Short description
The following example Deny policy denies all AWS Identity and Access Management (IAM) entities access to all Amazon SQS queue actions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "deny-sqs-actions", "Effect": "Deny", "Principal": "*", "Action": "SQS:*", "Resource": "queueNameArn" } ] }
Resolution
Troubleshoot SQS queue access issues
If you lost access to your queue that uses a Deny queue policy, then complete the following steps:
- Use your AWS account root user to access the queue. Root user credentials allow full access to all resources in the account. You can use the root user account to remove a Deny policy associated with the queue.
- If the Deny policy restricts specific entities, then try to gain access with the entities that the policy excludes.
Note: Verify that the excluded entities have the permissions required to access the queue. - Use the SQSUnlockQueuePolicy AWS managed policy from the AWS Organizations management account.
Prevent SQS queue access loss
The following best practices help prevent queue access loss:
- Don't explicitly deny the root user account access to the queue policy.
- Use an Allow policy alongside the Deny policy to make sure that there's an entity that can still gain access to the queue.
Important: An explicit deny in any policy overrides any allows in any policy.
Example policy with Allow and Deny statements:
{ "Version": "2012-10-17", "Id": "Queue1_Policy_UUID", "Statement": [{ "Sid":"Queue1_Allow_Access", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/User1"}, "Action": "sqs:*", "Resource": "queueNameArn" }, { "Sid":"Queue1_Deny_Access", "Effect": "Deny", "NotPrincipal": {"AWS": "arn:aws:iam::111122223333:user/User1"}, "Action": "sqs:*", "Resource": "queueNameArn" }] }
The preceding example policy allows the User1 IAM user access to all Amazon SQS actions on the specified SQS queue. This policy also denies queue access to all principals except the User1.
Note: The NotPrincipal element in the Deny policy excludes the specified principal. The Allow statement grants access permissions to the excluded principal.
Contact AWS Support if you can't access the SQS queue
If you can't use root user credentials, or don't know the entities that the Deny policy excludes, then contact AWS Support. Create a support case and include the following information:
- Confirm that you used the root user credentials to attempt access the queue. Include the reason why you can't use root user credentials, or why the root user credentials didn't resolve the issue.
- Confirm that you can't use the SQSUnlockQueuePolicy AWS managed policy and include the reason why.
- Confirm that you're the queue owner.
- Provide a detailed reason for why you need access to the queue.
Related information
- Language
- English
Relevant content
- asked 4 years ago
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
