Ensure there is a Dead Letter Queue configured for each Amazon SQS queue

Amazon SQS supports dead-letter queues, which other queues (source queues) can target for messages that can't be processed (consumed) successfully. Dead-letter queues are useful for debugging your application or messaging system because they let you isolate problematic messages to determine why their processing doesn't succeed.

Risk Level: Low
Cloud Entity: Simple Queue Service (SQS)
CloudGuard Rule ID: D9.TF.AWS.OPE.12
Covered by Spectral: No
Category: Database

GSL LOGIC

aws_sqs_queue should have redrive_policy

REMEDIATION

Perform the following to set a dead-letter queue for existing queue:

From Portal

  1. Sign in to the Amazon SQS console at https://console.aws.amazon.com/sqs/
  2. Choose Create New Queue.
  3. On the Create New Queue page, ensure that you're in the correct region and then type the Queue Name.
  4. Standard is selected by default. Choose FIFO.
  5. Choose Configure Queue.
  6. Enable the redrive policy for your new queue, select any queue as the dead-letter queue, and set the number of maximum receives to 50.

From CLI
aws sqs set-queue-attributes --queue-url <Queue url> --attributes <file:update_attributes.json>
Where the file should contain RedrivePolicy with deadLetterTargetArn different then the source queue.

References
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html

Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

Compliance Frameworks

  • Terraform AWS CIS Foundations