What permissions do I need to access an Amazon SQS queue?

Last updated: 2021-08-24

I want to access an Amazon Simple Queue Service (Amazon SQS) queue. What SQS access policy and AWS Identity and Access Management (IAM) policy permissions are required to access the queue?

Resolution

To access an Amazon SQS queue, you must add permissions to the SQS access policy, the IAM policy, or both. The specific permissions requirements differ depending on whether the SQS queue and IAM role are from the same account.

Same account

A statement to allow access is required in either the SQS access policy or the IAM policy.

Note: If either the SQS access policy or IAM policy explicitly allows access, but the other policy explicitly denies access, access to the queue is denied.

IAM user policy SQS access policy Result
Allow Allow Allow
Allow Neither Allow nor Deny Allow
Allow Deny Deny
Neither Allow nor Deny Allow Allow
Neither Allow nor Deny Neither Allow nor Deny Implicit Deny
Neither Allow nor Deny Deny Deny
Deny Allow Deny
Deny Neither Allow nor Deny Deny
Deny Deny Deny

Different account

A statement to allow access is required in both the SQS access policy and the IAM policy.

IAM user policy SQS access policy Result
Allow Allow Allow
Allow Neither Allow nor Deny Implicit Deny
Allow Deny Deny
Neither Allow nor Deny Allow Implicit Deny
Neither Allow nor Deny Neither Allow nor Deny Implicit Deny
Neither Allow nor Deny Deny Deny
Deny Allow Deny
Deny Neither Allow nor Deny Deny
Deny Deny Deny

Example policy statements

The following example policies show the permissions that you must set on the IAM policy and SQS queue access policy to allow cross-account access for an SQS queue.

The first policy grants permissions for username1 to send messages to the resource arn:aws:sqs:us-east-1:123456789012:queue_1.

The second policy allows username1 to send messages to the queue.

Example IAM policy statement for username1

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:queue_1"
   }]
}

Example SQS resource policy statement for queue_1

{
   "Version": "2012-10-17",
   "Id": "Queue1_Policy",
   "Statement": [{
      "Sid":"Queue1_AllActions",
      "Effect": "Allow",
      "Principal": {
         "AWS": [
            "arn:aws:iam::111122223333:user/username1"
         ]
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:queue_1"
   }]
}

Did this article help?


Do you need billing or technical support?