How do I troubleshoot and prevent Amazon SQS queue access issues when using a Deny queue policy?

Last updated: 2021-07-29

I've lost access to my Amazon Simple Queue Service (Amazon SQS) queue due to a Deny queue policy. How can I regain access to my Amazon SQS queue, and how can I prevent losing access again?

Short description

If you lose access to an Amazon SQS queue due to a Deny queue policy, you can try to access the queue using AWS account root user credentials. Or, try to access the queue using entities excluded from the policy, if applicable.

There are also some best practices that you can follow to prevent Amazon SQS queue access loss when using Deny queue policies.

The following example Deny policy denies all IAM entities access to all Amazon SQS queue actions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "deny-sqs-actions",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "SQS:*",
      "Resource": "queueName"
    }
  ]
}

Resolution

Troubleshoot Amazon SQS queue access issues

If you lose access to your Amazon SQS queue while using a Deny policy in the Amazon SQS Access Policy, try the following steps:

  1. Use your root user credentials to access the queue. Account owner root user credentials allow full access to all resources in the account. This includes removing a Deny All resource policy associated to the Amazon SQS queue.
  2. If the Deny policy is restricted to specific entities, then try to gain access with the entities that are excluded from the policy. Note: Verify that the excluded entities have the permissions required to access the queue.

If you can't use root user credentials, or if you're not sure which entities were excluded from the Deny policy, then contact AWS Support. Create a support case and include the following information:

  1. Confirm that you attempted to access the Amazon SQS queue using root user credentials. Include the reason why you can't use root user credentials, or why using root user credentials didn't resolve the issue.
  2. Confirm that you are the queue owner.
  3. Provide a detailed reason as to why queue access is needed.

Avoid losing access to your Amazon SQS queue

To prevent losing access to your Amazon SQS queue, follow these best practices when using a Deny policy in the Queue Access Policy.

  1. Don't explicitly deny the root user account, as you can lose access to the queue entirely.
  2. Use an Allow policy alongside the Deny policy to be sure that there is an entity that can still gain access to the queue. Note: An Allow policy can override a Deny policy that includes an explicit deny. For more information, see Authorization.

Example policy including Allow and Deny statements:

{
   "Version": "2012-10-17",
   "Id": "Queue1_Policy_UUID",
   "Statement": [{
      "Sid":"Queue1_Allow_Access",
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::111122223333:user/User1"},
      "Action": “sqs:*",
      "Resource": "queueName"
   }, {
      "Sid":"Queue1_Deny_Access",
      "Effect": "Deny",
      “NotPrincipal": {"AWS": "arn:aws:iam::111122223333:user/User1"},
      "Action": "sqs:*",
      "Resource": "queueName"
   }]
}

This example policy achieves the following:

  • Allows a specific IAM user (User1) access to all Amazon SQS actions on the specified Amazon SQS queue.
  • Denies queue access to all principals except the specified IAM user (User1).

"NotPrincipal" in the Deny policy excludes the specified principal. However, the Allow statement is also needed to grant access permissions to the excluded principal.


Did this article help?


Do you need billing or technical support?