Troubleshoot an access denied error in Amazon SQS - Amazon Simple Queue Service
Amazon SQS queue policy and IAM policyAmazon Key Management Service (Amazon KMS) permissionsVPC endpoint policyOrganization service control policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshoot an access denied error in Amazon SQS

The following topics cover the most common causes of AccessDenied or AccessDeniedException errors on Amazon SQS API calls. For more information on how to troubleshoot these errors, see How do I troubleshoot "AccessDenied" or "AccessDeniedException" errors on Amazon SQS API calls? in the Amazon Knowledge Center Guide.

Error message examples:

An error occurred (AccessDenied) when calling the SendMessage operation: Access to
        the resource https://sqs.us-east-1.amazonaws.com/ is denied.

- or -

An error occurred (KMS.AccessDeniedException) when calling the SendMessage
        operation: User: arn:aws-cn:iam::xxxxx:user/xxxx is not authorized to perform:
        kms:GenerateDataKey on resource: arn:aws-cn:kms:us-east-1:xxxx:key/xxxx with an explicit
        deny.

Amazon SQS queue policy and IAM policy

To verify if the requester has proper permissions to perform an Amazon SQS operation, do the following:

  • Identify the IAM principal that’s making the Amazon SQS API call. If the IAM principal is from the same account, then either the Amazon SQS queue policy or the Amazon Identity and Access Management (IAM) policy must include permissions to explicitly allow access for the action.

  • If the principal is an IAM entity:

    • You can identify your IAM user or role by checking the upper-right corner of the Amazon Web Services Management Console, or by using the aws sts get-caller-identity command.

    • Check the IAM policies that are related to the IAM user or role. You can use one of the following methods:

    • If needed, edit your IAM user policy.

    • Check the queue policy and edit if required.

  • If the principal is an Amazon service, then the Amazon SQS queue policy must explicitly allow access.

  • If the principal is a cross-account principal, then both the Amazon SQS queue policy and the IAM policy must explicitly allow access.

  • If the policy uses a condition element, then check that the condition restricts access.

Important

An explicit deny in either policy overrides an explicit allow. Here are some basic examples of Amazon SQS policies.

Amazon Key Management Service permissions

If your Amazon SQS queue has server-side encryption (SSE) turned on with a customer managed Amazon KMS key, then permissions must be granted to both producers and consumers. To confirm if a queue is encrypted, you can use the GetQueueAttributes API KmsMasterKeyId attribute, or from the queue console under Encryption.

  • Required permissions for producers:

    {
"Effect": "Allow",
"Action": [
    "kms:GenerateDataKey",
    "kms:Decrypt"
],
"Resource": "<Key ARN>"
}

  • Required permissions for consumers:

    {
"Effect": "Allow",
"Action": [
    "kms:Decrypt"
],
"Resource": "<Key ARN>"
}

  • Required permissions for cross-account access:

    {
"Effect": "Allow",
"Action": [         
    "kms:DescribeKey",
    "kms:Decrypt",
    "kms:ReEncrypt",
    "kms:GenerateDataKey"
],
"Resource": "<Key ARN>"
}

You can use any of the following to enable encryption for an Amazon SQS queue:

However, if you are using an Amazon-managed KMS key, you can't modify the default key policy. Therefore, to provide access to other services and cross-accounts, use customer managed key. Doing this allows you to edit the key policy.

VPC endpoint policy

If you access Amazon SQS through an Amazon Virtual Private Cloud (Amazon VPC) endpoint, the Amazon SQS VPC endpoint policy must allow access. You can create a policy for Amazon VPC endpoints for Amazon SQS, where you can specify the following:

  1. The principal that can perform actions.

  2. The actions that can be performed.

  3. The resources on which actions can be performed.

In the following example, the VPC endpoint policy specifies that the IAM user MyUser is allowed to send messages to the Amazon SQS queue MyQueue. Other actions, IAM users, and Amazon SQS resources are denied access through the VPC endpoint.

{
   "Statement": [{
      "Action": ["sqs:SendMessage"],
      "Effect": "Allow",
      "Resource": "arn:aws-cn:sqs:us-east-2:123456789012:MyQueue",
      "Principal": {
        "AWS": "arn:aws-cn:iam:123456789012:user/MyUser"
      }
   }]
}

Organization service control policy

If your Amazon Web Services account belongs to an organization, Amazon Organizations policies can block you from accessing your Amazon SQS queues. By default, Amazon Organizations policies do not block any requests to Amazon SQS. However, make sure that your Amazon Organizations policies haven’t been configured to block access to Amazon SQS queues. For instructions on how to check your Amazon Organizations policies, see Listing all policies in the Amazon Organizations User Guide.