Ensure SQS Dead-letter queue is not configured to send messages to the source queue

A queues dead-letter queue should not be itself. If the dead-letter queue of a queue is itself, it wouldn't be possible to distinguish between messages that were send to the source queue and the dead letter queue

Risk Level: Low
Cloud Entity: Simple Queue Service (SQS)
CloudGuard Rule ID: D9.AWS.OPE.19
Covered by Spectral: Yes
Category: Database

GSL LOGIC

Sqs should not have redrivePolicy.deadLetterTargetArn=id

REMEDIATION

From Portal
Perform the following to set a dead-letter queue for existing queue:

  1. Login to AWS Console
  2. Navigate to SQS Service
  3. Create new queue. This queue will be used as the dead-letter queue of the existing queue.
  4. Select the relevant existing queue and click Edit
  5. Look for "Dead-letter queue - Optional", in the drop down select the new queue ARN.

From Command Line

aws sqs set-queue-attributes --queue-url Queue_url --attributes file://update_attributes.json

see below example Input file update_attributes.json, where the file should contain RedrivePolicy with deadLetterTargetArn different then the source queue.

{
"DelaySeconds": "value",
"MaximumMessageSize": "value",
"MessageRetentionPeriod": "value",
"ReceiveMessageWaitTimeSeconds": "value",
"RedrivePolicy": "{"deadLetterTargetArn":"arn:aws:sqs:us-east-1:80398EXAMPLE:MyDeadLetterQueue","maxReceiveCount":"value"}",
"VisibilityTimeout": "value"
}

References

  1. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue.html
  2. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html

Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset