How do I update my SQS access policy to apply least privilege access?

2 minute read

To isolate malicious attacks, I want to restrict access to my VPC endpoint for my Amazon Simple Queue Service (Amazon SQS) queue. I want to deny access from other VPC endpoints and limit AWS Lambda function event source permissions.


To secure your SQS queue, apply the least privilege principles to your SQS access policy. You can isolate any malicious attacks in your queue by allowing requests only from a specified VPC endpoint and a specified Lambda function with event source mapping. You can secure your queue and isolate attacks by implementing the following SQS access policy:

  "Version": "2012-10-17",
  "Id": "default_policy_ID",
  "Statement": [
      "Sid": "owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam:XXXXXXX:root"
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:XXXXXXXX:test.fifo"
      "Sid": "RestrictSendReceiveToVpce",
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
      "Resource": "arn:aws:sqs:us-east-1: XXXXXX:test.fifo",
      "Condition": {
        "ArnNotEquals": {
         "aws:PrincipalArn": "Lambda execution role arn"
        "StringNotEquals": {
          "aws:SourceVpce": "vpce-XXXXX"

This SQS access policy does the following:

  • If the VPC endpoint is not the aws:sourceVpce provided when making the request, then the policy denies the client messages sent to the SQS queue.
  • When the Lambda function’s execution role is not PrincipalArn, the policy denies the Lambda function’s permission.

The ArnNotEquals and StringNotEquals conditions in the policy use OR evaluation logic. If either statement is true, then the request will be allowed.

For more information on the evaluation logic for conditions, see Creating a condition with multiple keys or values.

Related information

Tutorial: Sending a message to an Amazon SQS queue from Amazon Virtual Private Cloud

AWS OFFICIALUpdated 2 years ago