Ensure that SQS policy won't allow all actions from all principals

SQS might contain sensitive information. Determine the specific principals the their required actions, and then craft IAM policy with the required permissions.

Risk Level: High
Cloud Entity: Simple Queue Service (SQS)
CloudGuard Rule ID: D9.AWS.IAM.83
Covered by Spectral: Yes
Category: Database

GSL LOGIC

Sqs should not have policy.Statement contain [Effect='Allow' and ((Principal='*' or Principal.AWS='*') and Action contain ['%SQS:*%']) and Condition ]

REMEDIATION

From console

  1. Open the Amazon SQS console at https://console.aws.amazon.com/sqs/.
  2. In the navigation pane, choose Queues.
  3. Choose a queue and choose Edit.
  4. Scroll to the Access policy section.
  5. Edit the access policy statements in the input box, or You can use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html.
  6. In the policy When Effect is 'Allow', Make sure you DO NOT mention Action = 'sqs:', Principal = '' and add a condition in the policy statement.
  7. When you finish configuring the access policy, choose Save.

From CLI

  1. Create a json file with policy statement where, When Effect is 'Allow', Make sure you DO NOT mention Action = 'sqs:', Principal = '' and add a condition in the policy statement.
  2. Use below CLI Command to update the policy.
aws sqs set-queue-attributes --queue-url <Queue url> --attributes <file:update_attributes.json>

From CFT

  1. When Effect is 'Allow', Make sure you DO NOT mention Action = 'sqs:', Principal = '' and add a condition in your policy document.
    See below sample template.

Resource: AWS::SQS::QueuePolicy

Resources:
SampleSQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- 'https://sqs:us-east-2.amazonaws.com/444455556666/myqueue'
PolicyDocument:
Statement:
Action: [ 'SQS:SendMessage' , 'SQS:ReceiveMessage' ]
Effect: Allow
Principal:
AWS:
- '111122223333'
Condition:
ArnEquals:
'aws:SourceArn': '${aws_sns_topic.example.arn}'

From TF

  1. When Effect is 'Allow', Make sure you DO NOT mention Action = 'sqs:', Principal = '' and add a condition in your policy document.
    See below sample template.
resource "aws_sqs_queue_policy" "test" {
	queue_url = "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
	
	policy = <<POLICY
	{
		"Version": "2012-10-17",
		"Id": "sqspolicy",
		"Statement": [
		{
			"Sid": "First",
			"Effect": "Allow",
			"Principal": "AWS":"111122223333",
			"Action": "sqs:SendMessage",
			"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
			"Condition": {
				"ArnEquals": {
				"aws:SourceArn": "${aws_sns_topic.example.arn}"
				}
			}
		}
		]
	}
	POLICY
}

References

  1. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-authentication-and-access-control.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html
  3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy

Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset