Amazon Simple Queue Service
Developer Guide

Creating an Amazon VPC Endpoint Policy for Amazon SQS

You can create a policy for Amazon VPC endpoints for Amazon SQS in which you specify the following:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide

The following example VPC endpoint policy specifies that the IAM user MyUser is allowed to send messages to the Amazon SQS queue MyQueue.

{ "Statement": [{ "Action": ["sqs:SendMessage"], "Effect": "Allow", "Resource": "arn:aws:sqs:us-east-2:123456789012:MyQueue", "Principal": { "AWS": "arn:aws:iam:123456789012:user/MyUser" } }] }

The following are denied:

  • Other Amazon SQS API actions, such as sqs:CreateQueue and sqs:DeleteQueue.

  • Other IAM users and rules which attempt to use this VPC endpoint.

  • MyUser sending messages to a different Amazon SQS queue.


The IAM user can still use other Amazon SQS API actions from outside the VPC. For more information, see Deny Access if It Isn't from a VPC Endpoint.