How do I troubleshoot AccessDenied errors on Amazon SQS API calls?

Last updated: 2021-09-03

When I run an Amazon Simple Queue Service (Amazon SQS) API call, I receive an AccessDenied error similar to one of the following:

“An error occurred (AccessDenied) when calling the SendMessage operation: Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.”

“An error occurred (KMS.AccessDeniedException) when calling the SendMessage operation: User: arn:aws:iam::xxxxx:user/xxxx is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-east-1:xxxx:key/xxxx with an explicit deny”

How can I troubleshoot this issue?

Resolution

Amazon SQS access policy and IAM policy

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

  • Either the SQS access policy or the AWS Identity and Access Management (IAM) policy must include permissions to explicitly allow access for the action.
  • If the SQS queue is in a different account, both the SQS access policy and the IAM policy must explicitly allow access.
    Important
    : An explicit deny in either policy overrides an explicit allow.
  • If the policy uses a condition element, verify whether the condition restricts access.
  • If the user or role is in an AWS Organizations organization that uses a service control policy (SCP), verify that the SCP isn't blocking the user or role.

To confirm the IAM identity that is used to make API calls, run the following get-caller-identity AWS CLI command:

aws sts get-caller-identity

For more information about Amazon SQS access permissions, see What permissions do I need to access an Amazon SQS queue?

KMS permissions

If your Amazon SQS queue has server-side encryption (SSE) turned on, permissions must be granted to both producers and consumers. The required permissions can be provided by an AWS managed AWS KMS key or by a customer managed key. A customer managed key policy must include access permissions for each queue producer and consumer. Or, you can update the IAM policy to include the required KMS permissions for the KMS key.

  • Required producer permissions: kms:GenerateDataKey and kms:Decrypt
  • Required consumer permissions: kms:Decrypt

To access an SSE Amazon SQS queue from a different account, the queue must use a customer managed key. You can’t use an AWS managed key because only customer managed key policies can be modified. The KMS key policy must allow cross account access of the KMS key, and the IAM policy must include permissions to access the KMS key.

For more information, see Key management.

VPC endpoint policy

If you access SQS through an Amazon Virtual Private Cloud (Amazon VPC) endpoint, the SQS VPC endpoint policy must allow access.

The following example VPC endpoint policy specifies that the IAM user MyUser is allowed to send messages to the SQS queue MyQueue. Other actions, IAM users, and SQS resources are denied access through the VPC endpoint.

{
   "Statement": [{
      "Action": ["sqs:SendMessage"],
      "Effect": "Allow",
      "Resource": "arn:aws:sqs:us-east-2:123456789012:MyQueue",
      "Principal": {
        "AWS": "arn:aws:iam:123456789012:user/MyUser"
      }
   }]
}

Did this article help?


Do you need billing or technical support?