How do I troubleshoot Amazon SQS DLQ redrive issues?

2 minute read

I can't redrive Amazon Simple Queue Service (Amazon SQS) messages from dead-letter queues (DLQs) to the source queue.

Resolution

Grayed out "Start DLQ redrive" icon

If you don't configure the Amazon SQS queue as a DLQ, then the Start DLQ Redrive icon is inaccessible in the Amazon SQS console.

For more information, see Configuring a dead-letter queue redrive.

"Failed: CouldNotDetermineMessageSource" error

If the DLQ has one of these messages, then you might receive this error when you try to start a DLQ redrive to the source queue:

An Amazon SQS message that's sent with the SendMessage API call to the DLQ.
A message from the Amazon Simple Notification Service (Amazon SNS) topic or AWS Lambda function that has the DLQ configured.

To resolve this error, choose Redrive to a custom destination when you start the redrive. Then, enter the Amazon SQS queue ARN to move all messages from the DLQ to the destination queue.

"Failed: AWS.SimpleQueueService.NonExistentQueue" error

This error occurs when the DLQ redrive fails because the Amazon SQS source queue doesn't exist or was deleted.

"Failed to create redrive task. Error code: AccessDenied - Queue Permissions to Redrive" error

This error occurs when the DLQ redrive fails because the AWS Identity and Access Management (IAM) entity doesn't have the required permissions. The following API permissions are required to make DLQ redrive requests:

For server-side encryption (SSE) queues, the following AWS Key Management Service (AWS KMS) key policy permission is required:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage",
                "sqs:GetQueueAttributes",
                "sqs:StartMessageMoveTask",
                "sqs:ListMessageMoveTasks",
                "sqs:CancelMessageMoveTask"
            ],
            "Resource": "arn:aws:sqs:<DLQ_region>:<DLQ_accountId>:<DLQ_name>"
        },
        {
            "Effect": "Allow",
            "Action": "sqs:SendMessage",
            "Resource": "arn:aws:sqs:<DestQueue_region>:<DestQueue_accountId>:<DestQueue_name>"
        }
    ]
}

For more information, see How do I troubleshoot "AccessDenied" or "AccessDeniedException" errors on Amazon SQS API calls?

Important: If you used the Amazon SQS console to configure your queue permissions for the DLQ redrive before August 31st 2023, then make sure that you update your permissions.

Related information

What permissions do I need to access an Amazon SQS queue?

Why is my Lambda function retrying valid Amazon SQS messages and placing them in my dead-letter queue?

Amazon SQS announces support for FIFO dead-letter queue redrive

Topics

Serverless Application Integration

Relevant content

SQS redrive bug?
m0ltar
asked 2 years ago
If a lambda is consuming a FIFO queue and times out, why did my SQS message not get redrived or put into DLQ?
Kit - CostCenter
asked 10 months ago
Implementing DLQ for both network issues and lambda processing failure
Accepted Answer
CharlesNelsonReilly
asked 4 months ago
What permissions are required for IAM role to perform SQS DLQ redrive?
rePost-User-0842866
asked a year ago
Best Practice to Redrive events from a Lambda DLQ
Andrew Harmon
asked a year ago
How do I set up EventBridge retries and DLQ for failed invocations?
AWS OFFICIALUpdated 7 months ago
Why did my Amazon SQS messages get sent to a dead-letter queue?
AWS OFFICIALUpdated 7 months ago
How do I troubleshoot the QueueDoesNotExist error when I make API calls to my Amazon SQS queue?
AWS OFFICIALUpdated 7 months ago
How do I troubleshoot issues with the "ApproximateAgeOfOldestMessage" metric for my Amazon SQS queue?
AWS OFFICIALUpdated 7 months ago
Amazon SQS announces support for FIFO dead-letter queue redrive in the AWS GovCloud (US) Regions
EXPERT
Adeleke Adebowale J
published 10 days ago