AWS SQS Queue is Exposed to the Public
Description:
Amazon Simple Queue Service (SQS) is a managed message queue service that allows decoupling between different parts of a cloud application. A common misconfiguration is exposing the SQS queue to the public, potentially allowing unauthorized access and operations. Making SQS queues publicly accessible might expose sensitive information, or unauthorized entities might send, receive, or delete messages in the queue.
Remediation:
1. Restrict Access to the SQS Queue:
AWS Management Console:
- Navigate to the SQS service.
- In the navigation pane, select Queues.
- Click on the name of the queue you wish to modify.
- In the Permissions tab, review the access permissions.
- Delete any permissions that have
Allow
forEveryone
orAny AWS user
and grant explicit permissions to specific AWS accounts, roles, or services.
AWS CLI:
To get the queue's current attributes:
aws sqs get-queue-attributes --queue-url <YOUR-QUEUE-URL> --attribute-names All
To set a new policy:
aws sqs set-queue-attributes --queue-url <YOUR-QUEUE-URL> --attributes Policy=<NEW-POLICY>
Replace <YOUR-QUEUE-URL>
with the URL of your SQS queue and <NEW-POLICY>
with your desired JSON policy.
Terraform:
resource "aws_sqs_queue" "example" {
name = "example-queue"
# ... other configurations ...
policy = jsonencode({
Version = "2012-10-17"
Id = "example-policy-id"
Statement = [
{
Action = "sqs:SendMessage"
Effect = "Allow"
Resource = aws_sqs_queue.example.arn
Principal = {
AWS = "arn:aws:iam::<ACCOUNT-ID>:root"
}
}
# ... other statements ...
]
})
}
Replace <ACCOUNT-ID>
with your specific AWS account ID or other desired entities. Adjust the policy as needed to ensure public access is restricted.
Recommendation:
Always practice the principle of least privilege. Only allow the necessary permissions to the SQS queues and restrict public access. Regularly review your SQS queue permissions to detect and fix potential misconfigurations.
Updated about 1 year ago