infrared
Reputation: 3626
AWS IAM user policy to restrict access to specific SQS queue
I'm trying to setup a user policy for a AWS IAM user to access a specific AWS SQS queue.
When I try with below policy, I get the error AccessDenied.
{
"Statement": [
{
"Action": ["sqs:*"],
"Effect": "Allow",
"Resource": ["arn:aws:sqs:us-east-1:my_aws_account_id:queue_name"]
}
]
}
However, when I trying using the same policy, only replacing the queue_name part of arn with *, it works:
{
"Statement": [
{
"Action": ["sqs:*"],
"Effect": "Allow",
"Resource": ["arn:aws:sqs:us-east-1:my_aws_account_id:*"]
}
]
}
What could be the problem when trying to restrict access to specific queue?
Upvotes: 9
Views: 4962
Answers (2)
Shreyas Karnik
Reputation: 4143
I ran into similar situation and found that "arn:aws:sqs:*:*:queue_name" worked for me.
Upvotes: 0
plyawn
Reputation: 412
What action are you trying to perform with the queue-specific policy? I did the following:
- Created a queue (all default values)
- Defined an IAM user and added a user policy identical in format to your #1
- Added a message, retrieved a message and deleted a message - NO PROBLEM
- Performed an action above the queue level (like list queues) ERROR
Upvotes: 4
Related Questions
- Dynamic permission policy to access sqs queue based from name
- Access to SQS Queue is denied even when policies are set
- AWS Deny Policy Role specific account
- How to restrict IAM Role specific to SQS in aws cloudformation template
- AWS Policy Restrict Permission Based On Service
- IAM - How to restrict access on queue creation?
- How to add permissions to a queue to allow a user in a different account permissions on the queue
- IAM policy to restrict users to instances in a specific VPC
- Restrict an IAM policy to run only in an specified account
- AWS IAM policy for SQS