Ensure that SQS policy won't allow all actions from all principals

SQS might contain sensitive information. Determine the specific principals the their required actions, and then craft IAM policy with the required permissions.

Risk Level: Critical
Cloud Entity: Simple Queue Service (SQS)
CloudGuard Rule ID: D9.TF.AWS.IAM.56
Covered by Spectral: No
Category: Database


aws_sqs_queue should not have (policy regexMatch /"Effect":\s*"Allow"/i)  and (policy regexMatch /"Action":\s*"*"/i or policy regexMatch /"Action":\s*"SQS:*"/i)  and (policy regexMatch /"Principal":\s*"*"/i or policy regexMatch /"Principal":\s*"AWS:*"/i)


Perform the following to set a new SQS policy:

From Portal

  1. Login to AWS Console
  2. Navigate to SQS Service
  3. Select the relevant queue and click Edit
  4. Look for "Access policy", and edit the policy.

From CLI
aws sqs set-queue-attributes --queue-url <Queue url> --attributes <file:update_attributes.json>
Where the file should contain the new policy for the queue.

You can use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html

Use the following reference for additional information regarding access and SQS policies:
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html

Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

Compliance Frameworks

  • Terraform AWS CIS Foundations