Ensure there is a Dead Letter Queue configured for each Amazon SQS queue

Amazon SQS supports dead-letter queues, which other queues (source queues) can target for messages that can't be processed (consumed) successfully. Dead-letter queues are useful for debugging your application or messaging system because they let you isolate problematic messages to determine why their processing doesn't succeed.

Risk Level: Low
Cloud Entity: Simple Queue Service (SQS)
CloudGuard Rule ID: D9.AWS.OPE.12
Covered by Spectral: Yes
Category: Database


Sqs should have redrivePolicy.deadLetterTargetArn


From Portal
Perform the following to set a dead-letter queue for existing queue:

  1. Sign in to the Amazon SQS console at https://console.aws.amazon.com/sqs/
  2. In the navigation pane, choose Queues.
  3. Choose a queue and choose Edit.
  4. Scroll to the redrive policy section and choose Enabled.
  5. Enable the Dead-letter queue, and set the number of maximum receives to 50.
  6. Choose the Amazon Resource Name (ARN) of an existing Dead Letter Queue that you want to associate with this source queue.
  7. choose Save.

From TF

resource "aws_sqs_queue" "terraform_queue" {
	+ redrive_policy = jsonencode({                     # to configure DLQ
		deadLetterTargetArn = aws_sqs_queue.terraform_queue_deadletter.arn
		maxReceiveCount     = 4

From CLI
NOTE : Where the file should contain RedrivePolicy with deadLetterTargetArn different then the source queue.
aws sqs set-queue-attributes --queue-url QUEUE-URL --attributes <file:update_attributes.json>


  1. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html
  3. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html

Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset