DeadQueue — Setup Guide

Quick Start

Create an account — Sign up with your email. We'll send a magic link (no password needed).
Connect AWS — Go to Settings and add your AWS account using access keys or an IAM role.
Discover queues — DeadQueue auto-discovers all SQS dead letter queues in the connected region.
Set up alerts — Go to Alerts and add Slack, email, or PagerDuty channels.
Monitor — Your dashboard shows queue depth, message age, and trend charts. Alerts fire automatically on status changes.

1. Connect Your AWS Account

DeadQueue supports two ways to connect your AWS account:

Option A: Access Keys (default)

In the AWS Console, go to IAM → Users → Create user.
Name it something like deadqueue-monitor.
Attach the permissions listed in the IAM Permissions section below.
Go to the user's Security credentials tab and create an access key.
In DeadQueue, go to Settings, select Access Keys, and paste the Access Key ID and Secret Access Key.
Select your AWS region and click Connect Account.

Your credentials are encrypted at rest using AES-256-GCM. They are never logged or exposed via the API.

Option B: IAM Role (cross-account)

In the AWS Console, go to IAM → Roles → Create role.
Select Another AWS account as the trusted entity.
Enter the DeadQueue AWS account ID (provided in the Settings page) and enable Require external ID.
Attach the permissions listed in the IAM Permissions section below.
In DeadQueue, go to Settings, select IAM Role, and paste the Role ARN.
Select your AWS region and click Connect Account.

IAM Role auth uses temporary credentials via STS AssumeRole. No long-lived secrets are stored.

2. IAM Permissions

DeadQueue needs read-only access to SQS and minimal STS permissions. Create a policy with the following JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DeadQueueMonitoring",
            "Effect": "Allow",
            "Action": [
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:GetQueueUrl"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DeadQueueReplay",
            "Effect": "Allow",
            "Action": [
                "sqs:StartMessageMoveTask",
                "sqs:ListMessageMoveTasks",
                "sqs:CancelMessageMoveTask"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DeadQueueIdentity",
            "Effect": "Allow",
            "Action": "sts:GetCallerIdentity",
            "Resource": "*"
        }
    ]
}

If you don't need message replay, you can omit the DeadQueueReplay statement. The monitoring-only permissions are completely read-only.

3. Queue Discovery

After connecting your AWS account, DeadQueue automatically discovers all SQS queues in the selected region that are configured as dead letter queues (i.e., they are the target of another queue's redrive policy).

For each discovered DLQ, DeadQueue tracks:

Depth — The approximate number of messages currently in the queue.
Oldest message age — How long the oldest message has been sitting in the DLQ (in seconds).
Status — OK (empty), WARNING (depth ≥ threshold), or CRITICAL (depth ≥ 10x threshold).
Source queue — The queue that routes failed messages to this DLQ.

Queues are polled every 60 seconds. The dashboard and trend charts update automatically.

4. Configure Alerts

DeadQueue fires alerts when a queue's status changes (e.g., OK → WARNING, WARNING → CRITICAL, or any state → RESOLVED). Alerts are sent to all enabled channels.

Supported channels

Slack — Provide an Incoming Webhook URL. Alerts are sent as rich Block Kit messages with queue name, depth, age, status, and runbook link.
Email — Provide an email address. Alerts are sent as HTML emails via Resend.
PagerDuty — Provide a routing key from a PagerDuty service integration. Alerts use the Events API v2 with automatic deduplication (resolved alerts auto-resolve the PagerDuty incident).

Setting up Slack

In Slack, go to your workspace's App Directory and search for Incoming Webhooks.
Add a new webhook and select the channel where you want alerts (e.g., #ops-alerts).
Copy the webhook URL (starts with https://hooks.slack.com/).
In DeadQueue, go to Alerts, select Slack Webhook, paste the URL, and click Add Channel.

→ Full Slack setup walkthrough — step-by-step with screenshots, testing instructions, and troubleshooting.

Setting up PagerDuty

In PagerDuty, go to Services and select (or create) a service.
Under Integrations, add a new integration using Events API v2.
Copy the Integration Key (routing key).
In DeadQueue, go to Alerts, select PagerDuty, paste the routing key, and click Add Channel.

5. Runbooks & Notes

Each queue supports a runbook URL and custom notes. These are included in every alert so the on-call engineer knows exactly where to start.

From the Dashboard, click on a queue to open the detail view.
Scroll down to the Queue Settings section.
Add a Runbook URL (e.g., a link to your Confluence page, Notion doc, or GitHub wiki).
Add Notes (e.g., "This queue processes Stripe webhooks — check payment service first").
Optionally adjust the Depth threshold (default: 1) and toggle monitoring on/off.
Click Save Settings.

Tip: A good runbook answers "what broke, what do I check first, and who do I escalate to" in under 30 seconds.

6. Message Replay

DeadQueue lets you redrive messages from a DLQ back to its source queue for reprocessing, using the native AWS StartMessageMoveTask API.

From the Dashboard, click on a queue that has messages (depth > 0).
In the Message Replay section, click Start Replay.
Messages are moved back to the source queue by AWS. Progress is tracked in the replay history table.
You can cancel an in-progress replay if needed.

Replay requires the sqs:StartMessageMoveTask, sqs:ListMessageMoveTasks, and sqs:CancelMessageMoveTask permissions. See IAM Permissions.

FAQ

How often does DeadQueue poll my queues?

Every 60 seconds by default. Each poll cycle checks all monitored queues across all connected AWS accounts.

Are my AWS credentials safe?

Yes. Access keys are encrypted at rest using AES-256-GCM before being stored. They are never logged, never returned by the API, and never leave the server except to make SQS API calls. If you prefer not to store credentials at all, use the IAM Role option instead.

What triggers an alert?

Alerts fire on status transitions, not on every poll. For example, when a queue goes from OK to WARNING, or from CRITICAL to RESOLVED. This prevents alert fatigue from repeated notifications about the same issue.

What's the difference between WARNING and CRITICAL?

WARNING means the queue depth has reached or exceeded the configured threshold (default: 1 message). CRITICAL means the depth is 10x or more of the threshold. Both trigger alerts.

Can I monitor queues in multiple regions?

Yes. Connect a separate AWS account entry for each region. You can use the same credentials with different regions, or different credentials for different accounts.

Does replay delete messages from the DLQ?

Yes. AWS's StartMessageMoveTask moves messages from the DLQ back to the source queue. Once moved, they are removed from the DLQ. The queue depth updates on the next poll cycle.

What if I only want monitoring without replay?

Omit the replay permissions (sqs:StartMessageMoveTask, sqs:ListMessageMoveTasks, sqs:CancelMessageMoveTask) from your IAM policy. The replay button will show an error if permissions aren't available, but monitoring works independently.

Setup Guide

Contents