How do I grant access to an Amazon SQS queue?

3 minute read

I want to access an Amazon Simple Queue Service (Amazon SQS) queue. I need to know the required Amazon SQS access policy and AWS Identity and Access Management (IAM) policy permissions to access the queue.

Resolution

To access an Amazon SQS queue, you must add permissions to the SQS access policy, the IAM policy, or both. The specific permissions requirements depend on whether the SQS queue and IAM role are from the same AWS account.

Same account

A statement’s required in either the SQS access policy or the IAM policy to allow access.

Note: If either the SQS access policy or IAM policy explicitly allows access, but the other policy explicitly denies access, then access to the queue’s denied.


IAM user policy	SQS access policy	SQS access policy
Allow	Allow	Allow
Allow	Neither Allow nor Deny	Allow
Allow	Deny	Deny
Neither Allow nor Deny	Allow	Allow
Neither Allow nor Deny	Neither Allow nor Deny	Implicit Deny
Neither Allow nor Deny	Deny	Deny
Deny	Allow	Deny
Deny	Neither Allow nor Deny	Deny
Deny	Deny	Deny

Different account

A statement’s required in both the SQS access policy and the IAM policy to allow access.


IAM user policy	SQS access policy	Result
Allow	Allow	Allow
Allow	Neither Allow nor Deny	Implicit Deny
Allow	Deny	Deny
Neither Allow nor Deny	Allow	Implicit Deny
Neither Allow nor Deny	Neither Allow nor Deny	Implicit Deny
Neither Allow nor Deny	Deny	Deny
Deny	Allow	Deny
Deny	Neither Allow nor Deny	Deny
Deny	Deny	Deny

Example policy statements

The following example policies show the permissions that you must set on the IAM policy and SQS queue access policy. These policies allow cross-account access for an SQS queue.

Example IAM policy statement for username1

The following policy grants permissions for username1 to send messages to the resource arn:aws:sqs:us-east-1:123456789012:queue_1:

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:queue_1"
   }]
}

Example SQS resource policy statement for queue_1

The following policy allows username1 to send messages to the SQS queue:

{   "Version": "2012-10-17",
   "Id": "Queue1_Policy",
   "Statement": [{
      "Sid":"Queue1_AllActions",
      "Effect": "Allow",
      "Principal": {
         "AWS": [
            "arn:aws:iam::111122223333:user/username1"
         ]
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:queue_1"
   }]
}

For more information, see IAM policy types: How and when to use them.

Topics: Application Integration Serverless
Tags: Amazon Simple Queue Service
Language: English

Relevant content

How can I give a role permission to call my SQS que?
Accepted Answer
User-5267765
asked 3 years ago
S3 event notification to SQS
Accepted Answer
joshus
asked 2 years ago
How to allow anonymous access for SendMessage to Amazon SQS?
Michael
asked 2 years ago
What permissions are required for IAM role to perform SQS DLQ redrive?
rePost-User-0842866
asked 3 years ago
Permissions required to make cross region and cross account call from Lambda to SQS queue
rePost-User-6173103
asked a year ago
How do I troubleshoot Amazon SQS queue access issues with a Deny queue policy?
AWS OFFICIALUpdated 8 months ago
How do I resolve the error "The specified queue does not exist or you do not have access to it." when I run my AWS Glue job to send messages to Amazon SQS in a different Region?
AWS OFFICIALUpdated a year ago
How do I troubleshoot "AccessDenied" or "AccessDeniedException" errors on Amazon SQS API calls?
AWS OFFICIALUpdated 2 years ago
How do I update my SQS access policy to apply least privilege access?
AWS OFFICIALUpdated 4 years ago
How do I migrate my Application Integration resources to another region?
EXPERT
Francesco Penta
published 4 days ago