How do I troubleshoot "AccessDenied" or "AccessDeniedException" errors on Amazon SQS API calls?

4 minute read
0

I ran an Amazon Simple Queue Service (Amazon SQS) API call and received an “AccessDenied” error.

Short description

When I run an Amazon SQS API call, I receive an "AccessDenied" or "AccessDeniedException" error similar to the following:

"An error occurred (AccessDenied) when calling the SendMessage operation: Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied."

-or-

"An error occurred (KMS.AccessDeniedException) when calling the SendMessage operation: User: arn:aws:iam::xxxxx:user/xxxx is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-east-1:xxxx:key/xxxx with an explicit deny."

Resolution

Amazon SQS access policy and IAM policy

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

  • Either the SQS access policy or the AWS Identity and Access Management (IAM) policy must include permissions to explicitly allow access for the action.

  • It's a best practice to grant least privilege for only the permissions required to perform a task. For more information, see Apply least-privilege permissions.

  • If the SQS queue is in a different account, then both the SQS access policy and the IAM policy must explicitly allow access.

    Important: An explicit deny in either policy overrides an explicit allow.

  • If the policy uses a condition element, then check that the condition restricts access.

  • If the user or role is in an AWS Organizations organization that uses SCPs, check that the SCP doesn't block the user or role.

To confirm the IAM identity that is used to make API calls, run the get-caller-identity AWS CLI command:

aws sts get-caller-identity

For more information about Amazon SQS access permissions, see What permissions do I need to access an Amazon SQS queue?

AWS Key Management Service (AWS KMS) permissions

If your Amazon SQS queue has server-side encryption (SSE) turned on, then permissions must be granted to both producers and consumers. The required permissions are provided with an AWS managed AWS KMS key or a customer managed key. A customer managed key policy must include access permissions for each queue producer and consumer. Or, update the IAM policy to include the required AWS KMS permissions for the AWS KMS key.

To access an SSE Amazon SQS queue from a different account, the queue must use a customer managed key. You can't use an AWS managed key because only customer managed key policies can be modified. The AWS KMS key policy must allow cross account access of the AWS KMS key. The IAM policy must include permissions to access the AWS KMS key.

For more information, see Key management.

VPC endpoint policy

If you access SQS through an Amazon Virtual Private Cloud (Amazon VPC) endpoint, the SQS VPC endpoint policy must allow access.

This example VPC endpoint policy specifies that the IAM user MyUser is allowed to send messages to the SQS queue MyQueue. Other actions, IAM users, and SQS resources are denied access through the VPC endpoint.

{
  "Statement": [
    {
      "Action": [
        "sqs:SendMessage"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sqs:us-east-2:123456789012:MyQueue",
      "Principal": {
        "AWS": "arn:aws:iam:123456789012:user/MyUser"
      }
    }
  ]
}

Note: You can only use VPCs with HTTPS Amazon SQS endpoints.

SQS console permissions

To view the SQS queues and attributes from the SQS console, users must have permissions to the ListQueues and GetQueueAttributes actions:

{
  "Sid": "Statement1",
  "Effect": "Allow",
  "Action": [
    "sqs:ListQueues",
    "sqs:GetQueueAttributes"
  ],
  "Resource": "*"
}

Note: You can't use the ListQueues API action with specific queues. The ListQueues API must be applied to "*" resource or "arn:aws:sqs:region:account_id:*".

Deny all queue policy

You might lose access to the SQS queue if a deny all policy is added similar to this example:

{
  "Sid": "deny-sqs-actions",
  "Effect": "Deny",
  "Principal": "*",
  "Action": "SQS:*",
  "Resource": "queueName"
}

If you lost access to the SQS queue, then use the root user credentials to access the queue and remove the deny all policy. For more information, see How do I troubleshoot and prevent Amazon SQS queue access issues when using a Deny queue policy?

Related information

Tutorial: Sending a message to an Amazon SQS queue from Amazon Virtual Private Cloud

Amazon SQS API permissions: Actions and resource reference

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago