# Configuring Amazon SQS queues using the Amazon SQS console
Use the Amazon SQS console to configure and manage Amazon SQS queues and features. You can also:
+ Enable server-side encryption for enhanced security.
+ Associate a dead-letter queue to handle unprocessed messages.
+ Set up a trigger to invoke an Lambda function for event-driven processing.
# Attribute-based access control for Amazon SQS
## What is ABAC?
Attribute-based access control (ABAC) is an authorization process that defines permissions based on tags that are attached to users and AWS resources. ABAC provides granular and flexible access control based on attributes and values, reduces security risk related to reconfigured role-based policies, and centralizes auditing and access policy management. For more details about ABAC, see [What is ABAC for AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*.
Amazon SQS supports ABAC by allowing you to control access to your Amazon SQS queues based on the tags and aliases that are associated with an Amazon SQS queue. The tag and alias condition keys that enable ABAC in Amazon SQS authorize IAM principals to use Amazon SQS queues without editing policies or managing grants. To learn more about ABAC condition keys, see [Condition keys for Amazon SQS](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html#amazonsqs-policy-keys) in the *Service Authorization Reference*.
With ABAC, you can use tags to configure IAM access permissions and policies for your Amazon SQS queues, which helps you to scale your permissions management. You can create a single permissions policy in IAM using tags that you add to each business role—without having to update the policy each time you add a new resource. You can also attach tags to IAM principals to create an ABAC policy. You can design ABAC policies to allow Amazon SQS operations when the tag on the IAM user role that's making the call matches the Amazon SQS queue tag. To learn more about tagging in AWS, see [AWS Tagging Strategies](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) and [Amazon SQS cost allocation tags](sqs-queue-tags.md).
**Note**
ABAC for Amazon SQS is currently available in all AWS Commercial Regions where Amazon SQS is available, with the following exceptions:
Asia Pacific (Hyderabad)
Asia Pacific (Melbourne)
Europe (Spain)
Europe (Zurich)
## Why should I use ABAC in Amazon SQS?
Here are some benefits of using ABAC in Amazon SQS:
+ ABAC for Amazon SQS requires fewer permissions policies. You don't have to create different policies for different job functions. You can use resource and request tags that apply to more than one queue, which reduces operational overhead.
+ Use ABAC to scale teams quickly. Permissions for new resources are automatically granted based on tags when resources are appropriately tagged during their creation.
+ Use permissions on the IAM principal to restrict resource access. You can create tags for the IAM principal and use them to restrict access to specific actions that match the tags on the IAM principal. This helps you to automate the process of granting request permissions.
+ Track who's accessing your resources. You can determine the identity of a session by looking at user attributes in AWS CloudTrail.
**Topics**
+ [What is ABAC?](#sqs-abac-whatis)
+ [Why should I use ABAC in Amazon SQS?](#sqs-abac-benefits)
+ [Tagging for access control](sqs-abac-tagging-resource-control.md)
+ [Creating IAM users and Amazon SQS queues](sqs-abac-creating-queues.md)
+ [Testing attribute-based access control](sqs-abac-testing-access-control.md)
# Tagging for access control in Amazon SQS
The following is an example of using tags for access control in Amazon SQS. The IAM policy restricts an IAM user to all Amazon SQS actions for all queues that include a resource tag with the key environment and the value production. For more information, see [Attribute-based access control with tags and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging_abac.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccessForProd",
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/environment": "prod"
}
}
}
]
}
```
------
# Creating IAM users and Amazon SQS queues
The following examples explain how to create an ABAC policy to control access to Amazon SQS using the AWS Management Console and CloudFormation.
## Using the AWS Management Console
**Create an IAM user**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Choose **User** from the left navigation pane.
1. Choose **Add Users** and enter a name in the **User name** text box.
1. Select the **Access key - Programmatic access** box and choose **Next:Permissions**.
1. Choose **Next:Tags**.
1. Add the tag key as `environment` and the tag value as `beta`.
1. Choose **Next:Review** and then choose **Create user**.
1. Copy and store the access key ID and secret access key in a secure location.
**Add IAM user permissions**
1. Select the IAM user that you created.
1. Choose **Add inline policy**.
1. On the JSON tab, paste the following policy:
1. Choose **Review policy**.
1. Choose **Create policy**.
## Using AWS CloudFormation
Use the following sample CloudFormation template to create an IAM user with an inline policy attached and an Amazon SQS queue:
```
AWSTemplateFormatVersion: "2010-09-09"
Description: "CloudFormation template to create IAM user with custom inline policy"
Resources:
IAMPolicy:
Type: "AWS::IAM::Policy"
Properties:
PolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessForSameResTag",
"Effect": "Allow",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:DeleteMessage"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/environment": "${aws:PrincipalTag/environment}"
}
}
},
{
"Sid": "AllowAccessForSameReqTag",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:SetQueueAttributes",
"sqs:tagqueue"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/environment": "${aws:PrincipalTag/environment}"
}
}
},
{
"Sid": "DenyAccessForProd",
"Effect": "Deny",
"Action": "sqs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/stage": "prod"
}
}
}
]
}
Users:
- "testUser"
PolicyName: tagQueuePolicy
IAMUser:
Type: "AWS::IAM::User"
Properties:
Path: "/"
UserName: "testUser"
Tags:
-
Key: "environment"
Value: "beta"
```
# Testing attribute-based access control in Amazon SQS
The following examples show you how to test attribute-based access control in Amazon SQS.
## Create a queue with the tag key set to environment and the tag value set to prod
Run this AWS CLI command to test creating the queue with the tag key set to environment and the tag value set to prod. If you don't have AWS CLI, you can [download and configure](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) it for your machine.
```
aws sqs create-queue --queue-name prodQueue —region us-east-1 —tags "environment=prod"
```
You receive an `AccessDenied` error from the Amazon SQS endpoint:
```
An error occurred (AccessDenied) when calling the CreateQueue operation: Access to the resource is denied.
```
This is because the tag value on the IAM user does not match the tag passed in the [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html) API call. Remember that we applied a tag to the IAM user with the key set to `environment` and the value set to `beta`.
## Create a queue with the tag key set to environment and the tag value set to beta
Run the this CLI command to test creating a queue with the tag key set to `environment` and the tag value set to `beta`.
```
aws sqs create-queue --queue-name betaQueue —region us-east-1 —tags "environment=beta"
```
You receive a message confirming the successful creation of the queue, similar to the one below.
```
{
"QueueUrl": "“
}
```
## Sending a message to a queue
Run this CLI command to test sending a message to a queue.
```
aws sqs send-message --queue-url --message-body testMessage
```
The response shows a successful message delivery to the Amazon SQS queue. The IAM user permission allows you to send a message to a queue that has a `beta` tag. The response includes `MD5OfMessageBody` and `MessageId` containing the message.
```
{
"MD5OfMessageBody": "",
"MessageId": ""
}
```
# Configuring queue parameters using the Amazon SQS console
When [creating](creating-sqs-standard-queues.md#step-create-standard-queue) or [editing](sqs-configure-edit-queue.md) a queue, you can configure the following parameters:
+ **Visibility timeout** – The length of time that a message received from a queue (by one consumer) won't be visible to the other message consumers. For more information, see [Visibility timeout](sqs-visibility-timeout.md).
**Note**
Using the console to configure the visibility timeout configures the timeout value for all of the messages in the queue. To configure the timeout for single or multiple messages, you must use one of the AWS SDKs.
+ **Message retention period** – The amount of time that Amazon SQS retains messages that remain in the queue. By default, the queue retains messages for four days. You can configure a queue to retain messages for up to 14 days. For more information, see [Message retention period](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html).
+ **Delivery delay** – The amount of time that Amazon SQS will delay before delivering a message that is added to the queue. For more information, see [Delivery delay](sqs-delay-queues.md).
+ **Maximum message size** – The maximum message size for this queue. For more information, see [Maximum message size](sqs-s3-messages.md).
+ **Receive message wait time** – The maximum amount of time that Amazon SQS waits for messages to become available after the queue gets a receive request. For more information, see [Amazon SQS short and long polling](sqs-short-and-long-polling.md).
+ **Enable content-based deduplication** – Amazon SQS can automatically create deduplication IDs based on the body of the message. For more information, see [Amazon SQS FIFO queues](sqs-fifo-queues.md).
+ **Enable high throughput FIFO** – Use to enable high throughput for messages in the queue. Choosing this option changes the related options ([Deduplication scope](enable-high-throughput-fifo.md) and [FIFO throughput limit](enable-high-throughput-fifo.md)) to the required settings for enabling high throughput for FIFO queues. For more information, see [High throughput for FIFO queues in Amazon SQS](high-throughput-fifo.md) and [Amazon SQS message quotas](quotas-messages.md).
+ **Redrive allow policy**: defines which source queues can use this queue as the dead-letter queue. For more information, see [Using dead-letter queues in Amazon SQS](sqs-dead-letter-queues.md).
**To configure queue parameters for an existing queue (console)**
1. Open the Amazon SQS console at [https://console.aws.amazon.com/sqs/](https://console.aws.amazon.com/sqs/).
1. In the navigation pane, choose **Queues**. Choose a queue and choose **Edit**.
1. Scroll to the **Configuration** section.
1. For **Visibility timeout **, enter the duration and units. The range is 0 seconds to 12 hours. The default value is 30 seconds.
1. For **Message retention period**, enter the duration and units. The range is 1 minute to 14 days. The default value is 4 days.
1. For a standard queue, enter a value for **Receive message wait time**. The range is 0 to 20 seconds. The default value is 0 seconds, which sets [short polling](sqs-short-and-long-polling.md). Any non-zero value sets long polling.
1. For **Delivery delay**, enter the duration and units. The range is 0 seconds to 15 minutes. The default value is 0 seconds.
1. For **Maximum message size**, enter a value. The range is from 1 KiB to 1024 KiB. The default value is 1024 KiB.
1. For a FIFO queue, choose **Enable content-based deduplication** to enable content-based deduplication. The default setting is disabled.
1. (Optional) For a FIFO queue to enable higher throughput for sending and receiving messages in the queue, choose **Enable high throughput FIFO**.
Choosing this option changes the related options (**Deduplication scope** and **FIFO throughput limit**) to the required settings for enabling high throughput for FIFO queues. If you change any of the settings required for using high throughput FIFO, normal throughput is in effect for the queue, and deduplication occurs as specified. For more information, see [High throughput for FIFO queues in Amazon SQS](high-throughput-fifo.md) and [Amazon SQS message quotas](quotas-messages.md).
1. For **Redrive allow policy**, choose **Enabled**. Select from the following: **Allow all** (default), **By queue** or **Deny all**. When choosing **By queue**, specify a list of up to 10 source queues by the Amazon Resource Name (ARN).
1. When you finish configuring the queue parameters, choose **Save**.
# Configuring an access policy in Amazon SQS
When you [edit](sqs-configure-edit-queue.md) a queue, you can configure its access policy to control who can interact with it.
+ The access policy defines which accounts, users, and roles have permissions to access the queue.
+ It specifies the allowed actions, such as [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html), [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html), or [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_DeleteMessage.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_DeleteMessage.html).
+ By default, only the queue owner has permission to send and receive messages.
****To configure the access policy for an existing queue (console)****
1. Open the Amazon SQS console at [https://console.aws.amazon.com/sqs/](https://console.aws.amazon.com/sqs/).
1. In the navigation pane, choose **Queues**.
1. Choose a queue and choose **Edit**.
1. Scroll to the **Access policy** section.
1. Edit the **access policy statements** in the input box. For more on access policy statements, see [Identity and access management in Amazon SQS](security-iam.md).
1. When you finish configuring the access policy, choose **Save**.
# Configuring server-side encryption for a queue using SQS-managed encryption keys
In addition to the [default](creating-sqs-standard-queues.md#step-create-standard-queue) Amazon SQS managed server-side encryption (SSE) option, Amazon SQS managed SSE (SSE-SQS) lets you create custom managed server-side encryption that uses SQS-managed encryption keys to protect sensitive data sent over message queues. With SSE-SQS, you don't need to create and manage encryption keys, or modify your code to encrypt your data. SSE-SQS lets you transmit data securely and helps you meet strict encryption compliance and regulatory requirements at no additional cost.
SSE-SQS protects data at rest using 256-bit Advanced Encryption Standard (AES-256) encryption. SSE encrypts messages as soon as Amazon SQS receives them. Amazon SQS stores messages in encrypted form and decrypts them only when sending them to an authorized consumer.
**Note**
The default SSE option is only effective when you create a queue without specifying encryption attributes.
Amazon SQS allows you to turn off all queue encryption. Therefore, turning off KMS-SSE, will not automatically enable SQS-SSE. If you wish to enable SQS-SSE after turning off KMS-SSE, you must add an attribute change in the request.
**To configure SSE-SQS encryption for a queue (console)**
**Note**
Any new queue created using the HTTP (non-TLS) endpoint will not enable SSE-SQS encryption by default. It is a security best practice to create Amazon SQS queues using HTTPS or [Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) endpoints.
1. Open the Amazon SQS console at [https://console.aws.amazon.com/sqs/](https://console.aws.amazon.com/sqs/).
1. In the navigation pane, choose **Queues**.
1. Choose a queue, and then choose **Edit**.
1. Expand **Encryption**.
1. For **Server-side encryption**, choose **Enabled** (default).
**Note**
With SSE enabled, anonymous `SendMessage` and `ReceiveMessage` requests to the encrypted queue will be rejected. Amazon SQS security best practises recommend against using anonymous requests. If you wish to send anonymous requests to an Amazon SQS queue, make sure to disable SSE.
1. Select **Amazon SQS key (SSE-SQS)**. There is no additional fee for using this option.
1. Choose **Save**.
# Configuring server-side encryption for a queue using the Amazon SQS console
To protect the data in a queue’s messages, Amazon SQS has server-side encryption (SSE) enabled by default for all newly created queues. Amazon SQS integrates with the Amazon Web Services Key Management Service (Amazon Web Services KMS) to manage [KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) for server-side encryption (SSE). For information about using SSE, see [Encryption at rest in Amazon SQS](sqs-server-side-encryption.md).
The KMS key that you assign to your queue must have a key policy that includes permissions for all principals that are authorized to use the queue. For information, see [Key Management](sqs-key-management.md).
If you aren't the owner of the KMS key, or if you log in with an account that doesn't have `kms:ListAliases` and `kms:DescribeKey` permissions, you won't be able to view information about the KMS key on the Amazon SQS console. Ask the owner of the KMS key to grant you these permissions. For more information, see [Key Management](sqs-key-management.md).
When you [create](creating-sqs-standard-queues.md#step-create-standard-queue) or [edit](sqs-configure-edit-queue.md) a queue, you can configure SSE-KMS.
**To configure SSE-KMS for an existing queue (console)**
1. Open the Amazon SQS console at [https://console.aws.amazon.com/sqs/](https://console.aws.amazon.com/sqs/).
1. In the navigation pane, choose **Queues**.
1. Choose a queue, and then choose **Edit**.
1. Expand **Encryption**.
1. For **Server-side encryption**, choose **Enabled** (default).
**Note**
With SSE enabled, anonymous `SendMessage` and `ReceiveMessage` requests to the encrypted queue will be rejected. Amazon SQS security best practises recommend against using anonymous requests. If you wish to send anonymous requests to an Amazon SQS queue, make sure to disable SSE.
1. Select **AWS Key Management Service key (SSE-KMS)**.
The console displays the **Description**, the **Account**, and the **KMS key ARN** of the KMS key.
1. Specify the KMS key ID for the queue. For more information, see [Key terms](sqs-server-side-encryption.md#sqs-sse-key-terms).
1. Choose the **Choose a KMS key alias** option.
1. The default key is the Amazon Web Services managed KMS key for Amazon SQS. To use this key, choose it from the **KMS key** list.
1. To use a custom KMS key from your Amazon Web Services account, choose it from the **KMS key** list. For instructions on creating custom KMS keys, see [Creating Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the *Amazon Web Services Key Management Service Developer Guide*.
1. To use a custom KMS key that is not in the list, or a custom KMS key from another Amazon Web Services account, choose **Enter the KMS key alias** and enter the KMS key Amazon Resource Name (ARN).
1. (Optional) For **Data key reuse period**, specify a value between 1 minute and 24 hours. The default is 5 minutes. For more information, see [Understanding the data key reuse period](sqs-key-management.md#sqs-how-does-the-data-key-reuse-period-work).
1. When you finish configuring SSE-KMS, choose **Save**.
# Configuring cost allocation tags for a queue using the Amazon SQS console
To organize and identify your Amazon SQS queues, you can add cost allocation tags. For more information, see [Amazon SQS cost allocation tags](sqs-queue-tags.md).
+ The Tagging tab on the Details page displays the queue's tags.
+ You can add or modify tags when [creating](creating-sqs-standard-queues.md#step-create-standard-queue) or [editing](sqs-configure-edit-queue.md) a queue.
**To configure tags for an existing queue (console)**
1. Open the Amazon SQS console at [https://console.aws.amazon.com/sqs/](https://console.aws.amazon.com/sqs/).
1. In the navigation pane, choose **Queues**.
1. Choose a queue and choose **Edit**.
1. Scroll to the **Tags** section.
1. Add, modify, or remove the queue tags:
1. To add a tag, choose **Add new tag**, enter a **Key** and **Value**, and then choose **Add new tag**.
1. To update a tag, change its **Key** and **Value**.
1. To remove a tag, choose **Remove** next to its key-value pair.
1. When you finish configuring the tags, choose **Save**.
# Subscribing a queue to an Amazon SNS topic using the Amazon SQS console
You can subscribe one or more Amazon SQS queues to an Amazon SNS topic. When you publish a message to a topic, Amazon SNS sends the message to each subscribed queue. Amazon SQS manages the subscription and handles the required permissions. For more information about Amazon SNS, see [What is Amazon SNS?](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) in the *Amazon Simple Notification Service Developer Guide*.
When you subscribe an Amazon SQS queue to an Amazon SNS topic, Amazon SNS uses HTTPS to forward messages to Amazon SQS. For information about using Amazon SNS with encrypted Amazon SQS queues, see [Configure KMS permissions for AWS services](sqs-key-management.md#compatibility-with-aws-services).
**Important**
Amazon SQS supports a maximum of 20 statements for each access policy. Subscribing to an Amazon SNS topic adds one such statement. Exceeding this amount will result in a failed topic subscription delivery.
**To subscribe a queue to an Amazon SNS topic (console)**
1. Open the Amazon SQS console at [https://console.aws.amazon.com/sqs/](https://console.aws.amazon.com/sqs/).
1. In the navigation pane, choose **Queues**.
1. From the list of queues, choose the queue to subscribe to the Amazon SNS topic.
1. From **Actions**, choose **Subscribe to Amazon SNS topic**.
1. From the **Specify an Amazon SNS topic available for this queue** menu, choose the Amazon SNS topic for your queue.
If the SNS topic isn't listed, choose **Enter Amazon SNS topic ARN** and then enter the topic's Amazon Resource Name (ARN).
1. Choose **Save**.
1. To verify the subscription, publish a message to the topic and view the message in the queue. For more information, see [Amazon SNS message publishing](https://docs.aws.amazon.com/sns/latest/dg/sns-publishing.html) in the *Amazon Simple Notification Service Developer Guide*.
## Cross-account subscriptions
If your Amazon SQS queue and Amazon SNS topic are in different AWS accounts, additional permissions are required.
**Topic owner (Account A)**
Modify the Amazon SNS topic's access policy to allow the Amazon SQS queue's AWS account to subscribe. Example policy statement:
```
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::111122223333:root" },
"Action": "sns:Subscribe",
"Resource": "arn:aws:sns:us-east-1:123456789012:MyTopic"
}
```
This policy allows account `111122223333` to subscribe to `MyTopic`.
**Queue owner (Account B)**
Modify the Amazon SQS queue's access policy to allow the Amazon SNS topic to send messages. Example policy statement:
```
{
"Effect": "Allow",
"Principal": { "Service": "sns.amazonaws.com" },
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:111122223333:MyQueue",
"Condition": {
"ArnEquals": { "aws:SourceArn": "arn:aws:sns:us-east-1:123456789012:MyTopic" }
}
}
```
This policy allows `MyTopic` to send messages to `MyQueue`.
## Cross-region subscriptions
To subscribe to an Amazon SNS topic in a different AWS Region, ensure that:
+ The Amazon SNS topic's access policy allows cross-region subscriptions.
+ The Amazon SQS queue's access policy permits the Amazon SNS topic to send messages across regions.
For more information, [Sending Amazon SNS messages to an Amazon SQS queue or AWS Lambda function in a different Region](https://docs.aws.amazon.com/sns/latest/dg/sns-cross-region-delivery.html) in the *Amazon Simple Notification Service Developer Guide*.
# Configuring an Amazon SQS queue to trigger an AWS Lambda function
You can use a Lambda function to process messages from an Amazon SQS queue. Lambda polls the queue and invokes your function synchronously, passing a batch of messages as an event.
**Configuring visibility timeout**
Set the queue's visibility timeout to at least six times the [function timeout](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-common-summary). This ensures Lambda has enough time to retry if a function is throttled while processing a previous batch.
**Using a dead-letter queue (DLQ)**
Specify a dead-letter queue to capture messages that the Lambda function fails to process.
**Handling multiple queues and functions**
A Lambda function can process multiple queues by creating a separate event source for each queue. You can also associate multiple Lambda functions with the same queue.
**Permissions for encrypted queues**
If you associate an encrypted queue with a Lambda function but Lambda doesn't poll for messages, add the `kms:Decrypt` permission to your Lambda execution role.
**Restrictions**
The queue and Lambda function must be in the same AWS Region.
An [encrypted queue](sqs-server-side-encryption.md) that uses the default key (AWS managed KMS key for Amazon SQS) cannot invoke a Lambda function in a different AWS account.
For implementation details, see [Using AWS Lambda with Amazon SQS](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs.html) in the *AWS Lambda Developer Guide*.
## Prerequisites
To configure Lambda function triggers, you must meet the following requirements:
+ If you use a user, your Amazon SQS role must include the following permissions:
+ `lambda:CreateEventSourceMapping`
+ `lambda:ListEventSourceMappings`
+ `lambda:ListFunctions`
+ The Lambda execution role must include the following permissions:
+ `sqs:DeleteMessage`
+ `sqs:GetQueueAttributes`
+ `sqs:ReceiveMessage`
+ If you associate an encrypted queue with a Lambda function, add the `kms:Decrypt` permission to the Lambda execution role.
For more information, see [Overview of managing access in Amazon SQS](sqs-overview-of-managing-access.md).
**To configure a queue to trigger a Lambda function (console)**
1. Open the Amazon SQS console at [https://console.aws.amazon.com/sqs/](https://console.aws.amazon.com/sqs/).
1. In the navigation pane, choose **Queues**.
1. On the **Queues** page, choose the queue to configure.
1. On the queue's page, choose the **Lambda triggers** tab.
1. On the **Lambda triggers** page, choose a Lambda trigger.
If the list doesn't include the Lambda trigger that you need, choose **Configure Lambda function trigger**. Enter the Amazon Resource Name (ARN) of the Lambda function or choose an existing resource. Then choose **Save**.
1. Choose **Save**. The console saves the configuration and displays the **Details** page for the queue.
On the **Details** page, the **Lambda triggers** tab displays the Lambda function and its status. It takes approximately 1 minute for the Lambda function to become associated with your queue.
1. To verify the results of the configuration, [send a message to your queue](creating-sqs-standard-queues.md#sqs-send-messages) and then view the triggered Lambda function in the Lambda console.
# Automating notifications from AWS services to Amazon SQS using Amazon EventBridge
Amazon EventBridge allows you to automate AWS services and respond to events, such as application issues or resource changes, in near real-time.
+ You can create rules to filter specific events and define automated actions when a rule matches an event.
+ EventBridge supports multiple targets, including Amazon SQS standard and FIFO queues, which receive events in JSON format.
For more information, see [Amazon EventBridge targets](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html) in the *[Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/)*.
# Sending a message with attributes using Amazon SQS
For standard and FIFO queues, you can include structured metadata to messages, including timestamps, geospatial data, signatures, and identifiers . For more information, see [Amazon SQS message attributes](sqs-message-metadata.md#sqs-message-attributes).
**To send a message with attributes to a queue using the Amazon SQS console**
1. Open the Amazon SQS console at [https://console.aws.amazon.com/sqs/](https://console.aws.amazon.com/sqs/).
1. In the navigation pane, choose **Queues**.
1. On the **Queues** page, choose a queue.
1. Choose **Send and receive messages**.
1. Enter the message attribute parameters.
1. In the name text box, enter a unique name of up to 256 characters.
1. For the attribute type, choose **String**, **Number**, or **Binary**.
1. (Optional) Enter a custom data type. For example, you could add **byte**, **int**, or **float** as custom data types for **Number**.
1. In the value text box, enter the message attribute value.
![\[The Amazon SQS console displaying the Message attributes section.\]](http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/images/sqs-tutorials-sending-message-with-attributes.png)
1. To add another message attribute., choose **Add new attribute**.
![\[The Amazon SQS console displaying the Remove button in the Message attributes section.\]](http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/images/sqs-tutorials-sending-message-with-attributes-custom-attribute.png)
1. You can modify the attribute values any time before sending the message.
1. To delete an attribute, choose **Remove**. To delete the first attribute, close **Message attributes**.
1. When you finish adding attributes to the message, choose **Send message**. Your message is sent and the console displays a success message. To view information about the message attributes of the sent message, choose **View details**. Choose **Done** to close the **Message details** dialog box.