I want to access an Amazon Simple Queue Service (Amazon SQS) queue. What SQS access policy and AWS Identity and Access Management (IAM) policy permissions are required to access the queue?
Resolution
To access an Amazon SQS queue, you must add permissions to the SQS access policy, the IAM policy, or both. The specific permissions requirements differ depending on whether the SQS queue and IAM role are from the same account.
Same account
A statement to allow access is required in either the SQS access policy or the IAM policy.
Note: If either the SQS access policy or IAM policy explicitly allows access, but the other policy explicitly denies access, access to the queue is denied.
| | |
---|
IAM user policy | SQS access policy | Result |
Allow | Allow | Allow |
Allow | Neither Allow nor Deny | Allow |
Allow | Deny | Deny |
Neither Allow nor Deny | Allow | Allow |
Neither Allow nor Deny | Neither Allow nor Deny | Implicit Deny |
Neither Allow nor Deny | Deny | Deny |
Deny | Allow | Deny |
Deny | Neither Allow nor Deny | Deny |
Deny | Deny | Deny |
Different account
A statement to allow access is required in both the SQS access policy and the IAM policy.
| | |
---|
IAM user policy | SQS access policy | Result |
Allow | Allow | Allow |
Allow | Neither Allow nor Deny | Implicit Deny |
Allow | Deny | Deny |
Neither Allow nor Deny | Allow | Implicit Deny |
Neither Allow nor Deny | Neither Allow nor Deny | Implicit Deny |
Neither Allow nor Deny | Deny | Deny |
Deny | Allow | Deny |
Deny | Neither Allow nor Deny | Deny |
Deny | Deny | Deny |
Example policy statements
The following example policies show the permissions that you must set on the IAM policy and SQS queue access policy to allow cross-account access for an SQS queue.
The first policy grants permissions for username1 to send messages to the resource arn:aws:sqs:us-east-1:123456789012:queue_1.
The second policy allows username1 to send messages to the queue.
For more information on these these policies, see IAM policy types: How and when to use them.
Example IAM policy statement for username1
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:123456789012:queue_1"
}]
}
Example SQS resource policy statement for queue_1
{
"Version": "2012-10-17",
"Id": "Queue1_Policy",
"Statement": [{
"Sid":"Queue1_AllActions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/username1"
]
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:123456789012:queue_1"
}]
}