Triage AWS SQS Queues should have a redrive queue configured NO_REDRIVE_POLICY_CONFIGURED
Quick Links
- Configure AWS SQS Queues should have a redrive queue configured
- Use Case for AWS SQS Queues should have a redrive queue configured
- Triage Guides by Violation Type
Why should I care about fixing this issue?
To get started on understanding why you should configure a DLQ / redrive policy for SQS, read our use-case page.
What is the data source for this policy?
This policy relies on a call to sqs:GetQueueAttributes. If the property RedrivePolicy in the response is not empty, then a violation is opened by the policy.
Does this policy scan on a schedule? If so, when?
No, it's triggered when changes to matching resources are detected.
How do I configure a DLQ / redrive policy using AWS Console?
Follow the instructions on Configuring a dead-letter queue redrive (console).
How do I configure a DLQ / redrive policy using CloudFormation?
AWS::SQS::Queue : RedrivePolicy
Note that the field is not required.
AWSTemplateFormatVersion: "2010-09-09"
Resources:
ExampleQueue:
Type: 'AWS::SQS::Queue'
Properties:
RedrivePolicy:
deadLetterTargetArn: !GetAtt ExampleQueueDLQ.Arn
maxReceiveCount: 5
ExampleQueueDLQ:
Type: 'AWS::SQS::Queue'
How do I configure a DLQ / redrive policy using Terraform?
aws_sqs_queue has the redrive_policy property, which you can use to configure a queue you want to designate as a DLQ. For example:
resource "aws_sqs_queue" "example_source" {
redrive_policy = jsonencode({
deadLetterTargetArn = aws_sqs_queue.example_dlq.arn
maxReceiveCount = 5
})
}
resource "aws_sqs_queue" "example_dlq" {
redrive_allow_policy = jsonencode({
redrivePermission = "allowAll", // default setting
})
}
If you require a guardrail on which source queue a given DLQ can be used for, you may set the redrivePermission to byQueue and specify the permitted source queues via sourceQueueArns. However, if your source queue references the DLQ ARN, you will receive Error: Cycle. To avoid this you'll need to specify the source queue's redrive policy in the separate resource stanza sqs_queue_redrive_policy. For example:
resource "aws_sqs_queue" "example_source" {
}
resource "aws_sqs_queue_redrive_policy" "example_redrive_policy" {
queue_url = aws_sqs_queue.example_source.id
redrive_policy = jsonencode({
deadLetterTargetArn = aws_sqs_queue.example_dlq.arn
maxReceiveCount = 5
})
}
resource "aws_sqs_queue" "example_dlq" {
redrive_allow_policy = jsonencode({
redrivePermission = "byQueue",
sourceQueueArns = [aws_sqs_queue.example_source.arn]
})
}
It is also possible to define the DLQ's redrive allow policy using sqs_queue_redrive_allow_policy. For example:
resource "aws_sqs_queue" "example_source" {
}
resource "aws_sqs_queue_redrive_policy" "example_redrive_policy" {
queue_url = aws_sqs_queue.example_source.id
redrive_policy = jsonencode({
deadLetterTargetArn = aws_sqs_queue.example_dlq.arn
maxReceiveCount = 5
})
}
resource "aws_sqs_queue" "example_dlq" {
}
resource "aws_sqs_queue_redrive_allow_policy" "example_dlq_redrive_allow_policy" {
queue_url = aws_sqs_queue.example_dlq.id
redrive_allow_policy = jsonencode({
redrivePermission = "byQueue",
sourceQueueArns = [aws_sqs_queue.example_source.arn]
})
}
How do I configure a DLQ / redrive policy using AWS CLI?
First create your source queue and a DLQ using aws sqs create-queue and take store the QueueUrl returned for each. Next, get the ARN of the DLQ using aws sqs get-queue-attributes. Finally, call aws sqs get-queue-attributes and provide a RedrivePolicy. For example:
aws sqs create-queue \
--queue-name ExampleSource
# {
# "QueueUrl": "https://sqs.us-west-2.amazonaws.com/538925826978/ExampleSource"
# }
aws sqs create-queue \
--queue-name ExampleDLQ
# {
# "QueueUrl": "https://sqs.us-west-2.amazonaws.com/538925826978/ExampleDLQ"
# }
aws sqs get-queue-attributes \
--queue-url https://sqs.us-west-2.amazonaws.com/538925826978/ExampleDLQ \
--attribute-names QueueArn
# {
# "Attributes": {
# "QueueArn": "arn:aws:sqs:us-west-2:538925826978:ExampleDLQ"
# }
# }
aws sqs set-queue-attributes \
--queue-url https://sqs.us-west-2.amazonaws.com/538925826978/ExampleSource \
--attributes '{"RedrivePolicy": "{\"deadLetterTargetArn\":\"arn:aws:sqs:us-west-2:538925826978:ExampleDLQ\",\"maxReceiveCount\":5}"}'
# None
When is it appropriate to mark this violation as "by design"?
To get started on understanding why you should configure a DLQ / redrive policy for SQS, read our use-case page.