How do I troubleshoot and prevent Amazon SQS queue access issues when using a Deny queue policy?
I've lost access to my Amazon Simple Queue Service (Amazon SQS) queue because of a Deny queue policy. How can I regain access to my Amazon SQS queue, and how can I prevent losing access again?
Short description
If you lose access to an Amazon SQS queue because of a Deny queue policy, try to access the queue using AWS account root user credentials. Or, try to access the queue using entities excluded from the policy, if applicable.
This article also presents best practices to follow so that you can prevent Amazon SQS queue access loss when using Deny queue policies.
The following example Deny policy denies all AWS Identity and Access Management (IAM) entities access to all Amazon SQS queue actions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "deny-sqs-actions", "Effect": "Deny", "Principal": "*", "Action": "SQS:*", "Resource": "queueName" } ] }
Resolution
Troubleshoot Amazon SQS queue access issues
If you lose access to your Amazon SQS queue while using a Deny policy in the Amazon SQS Access Policy, try the following steps:
- Use your root user credentials to access the queue. Account owner root user credentials allow full access to all resources in the account. This includes removing a Deny All resource policy associated to the Amazon SQS queue.
- If the Deny policy is restricted to specific entities, then try to gain access with the entities that are excluded from the policy.
Note: Verify that the excluded entities have the permissions required to access the queue.
If you can't use root user credentials, or if you're not sure which entities are excluded from the Deny policy, then contact AWS Support. Create a support case and include the following information:
- Confirm that you attempted to access the Amazon SQS queue using root user credentials. Include the reason why you can't use root user credentials, or why using root user credentials didn't resolve the issue.
- Confirm that you are the queue owner.
- Provide a detailed reason as to why queue access is needed.
Avoid losing access to your Amazon SQS queue
To prevent losing access to your Amazon SQS queue, follow these best practices when using a Deny policy in the Queue Access Policy.
- Don't explicitly deny the root user account, as you can lose access to the queue entirely.
- Use an Allow policy alongside the Deny policy to be sure that there is an entity that can still gain access to the queue.
Note: A Deny policy can override an Allow Policy unless the Allow policy doesn't match the condition of the Deny policy. For more information, see Authorization.
Example policy including Allow and Deny statements:
{ "Version": "2012-10-17", "Id": "Queue1_Policy_UUID", "Statement": [{ "Sid":"Queue1_Allow_Access", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/User1"}, "Action": “sqs:*", "Resource": "queueName" }, { "Sid":"Queue1_Deny_Access", "Effect": "Deny", “NotPrincipal": {"AWS": "arn:aws:iam::111122223333:user/User1"}, "Action": "sqs:*", "Resource": "queueName" }] }
This example policy achieves the following:
- Allows a specific IAM user (User1) access to all Amazon SQS actions on the specified Amazon SQS queue.
- Denies queue access to all principals except the specified IAM user (User1).
"NotPrincipal" in the Deny policy excludes the specified principal. However, the Allow statement is also needed to grant access permissions to the excluded principal.
Related information
Contenuto pertinente
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata 2 anni fa