Amazon_SQS_7

Ensure that SQS policy won't allow all actions from all principals without a condition

Description

SQS might contain sensitive information. Determine the specific principals the their required actions, and then craft IAM policy with the required permissions.

Remediation

From console
1. Open the Amazon SQS console at https://console.aws.amazon.com/sqs/.
2. In the navigation pane, choose Queues.
3. Choose a queue and choose Edit.
4. Scroll to the Access policy section.
4. Edit the access policy statements in the input box. or You can use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html.
5. In the policy When Effect is ‘Allow’ Make sure you DO NOT mention Action=’sqs:*’, and Principal=’*’. And add a condition in the policy statement.
5. When you finish configuring the access policy, choose Save.

From CLI
1. Create a .json file with policy statement

aws sqs set-queue-attributes –queue-url QUEUE_URL –attributes FILE:UPDATE_ATTRIBUTES.JSON

Where the file should contain the new policy for the queue.

Reference:
1. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-authentication-and-access-control.html
2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html
3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html
4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy

Service

SQS

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!