What permissions do I need to access an Amazon SQS queue?

3 minute read
1

I want to access an Amazon Simple Queue Service (Amazon SQS) queue. What SQS access policy and AWS Identity and Access Management (IAM) policy permissions are required to access the queue?

Resolution

To access an Amazon SQS queue, you must add permissions to the SQS access policy, the IAM policy, or both. The specific permissions requirements differ depending on whether the SQS queue and IAM role are from the same account.

Same account

A statement to allow access is required in either the SQS access policy or the IAM policy.

Note: If either the SQS access policy or IAM policy explicitly allows access, but the other policy explicitly denies access, access to the queue is denied.

IAM user policySQS access policyResult
AllowAllowAllow
AllowNeither Allow nor DenyAllow
AllowDenyDeny
Neither Allow nor DenyAllowAllow
Neither Allow nor DenyNeither Allow nor DenyImplicit Deny
Neither Allow nor DenyDenyDeny
DenyAllowDeny
DenyNeither Allow nor DenyDeny
DenyDenyDeny

Different account

A statement to allow access is required in both the SQS access policy and the IAM policy.

IAM user policySQS access policyResult
AllowAllowAllow
AllowNeither Allow nor DenyImplicit Deny
AllowDenyDeny
Neither Allow nor DenyAllowImplicit Deny
Neither Allow nor DenyNeither Allow nor DenyImplicit Deny
Neither Allow nor DenyDenyDeny
DenyAllowDeny
DenyNeither Allow nor DenyDeny
DenyDenyDeny

Example policy statements

The following example policies show the permissions that you must set on the IAM policy and SQS queue access policy to allow cross-account access for an SQS queue.

The first policy grants permissions for username1 to send messages to the resource arn:aws:sqs:us-east-1:123456789012:queue_1.

The second policy allows username1 to send messages to the queue.

For more information on these these policies, see IAM policy types: How and when to use them.

Example IAM policy statement for username1

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:queue_1"
   }]
}

Example SQS resource policy statement for queue_1

{
   "Version": "2012-10-17",
   "Id": "Queue1_Policy",
   "Statement": [{
      "Sid":"Queue1_AllActions",
      "Effect": "Allow",
      "Principal": {
         "AWS": [
            "arn:aws:iam::111122223333:user/username1"
         ]
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:queue_1"
   }]
}

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago