Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure SQS Queue Policy is Not Publicly Accessible Rule

This rule ensures that the SQS queue policy is not accessible to the public, enhancing security measures.

RuleEnsure SQS queue policy is not publicly accessible
FrameworkCloudDefense.AI Security
Severity
High

Rule Description

The rule ensures that the Amazon Simple Queue Service (SQS) queue policy is not publicly accessible. This is to avoid unauthorized access to the queue and its data. It helps in maintaining the security and privacy of the messages stored in the queue.

Troubleshooting Steps

If a SQS queue policy is found to be publicly accessible, follow these steps to troubleshoot the issue:

  2. 1.
    Check the existing queue policy: Review the current policy associated with the SQS queue and verify if it allows public access. You can do this through the AWS Management Console, CLI, or SDKs.
  4. 2.
    Verify public permissions: Check if any permissions are granting public access to the SQS queue. Look for "*" or "Public" as a principal in the policy statements.
  6. 3.
    Check for unintended permissions: Ensure that the queue policy does not have any unintended permissions that may open it to public access. Review all policy statements carefully.
  8. 4.
    Review resource-based policies: Check if any resource-based policies (e.g., AWS Identity and Access Management (IAM) policies) exist that grant public access to the SQS queue.
  10. 5.
    Ensure proper authentication and authorization: Confirm that the queue policy enforces authentication and authorization mechanisms to secure the queue.

Code Samples (if applicable)

If you need to update the SQS queue policy, here is an example AWS CLI command:

aws sqs set-queue-attributes --queue-url <queue-url> --attributes file://queue-policy.json

Ensure the 

queue-url
parameter is replaced with the actual URL of the SQS queue, and 
queue-policy.json
contains the updated policy document.

Remediation Steps

To remediate the publicly accessible SQS queue policy, follow these steps:

  2. 1.
    Open the AWS Management Console and navigate to the Amazon SQS service.
  4. 2.
    Select the SQS queue that should be secured.
  6. 3.
    Click on the "Permissions" tab to view the queue's policy.
  8. 4.
    Identify any existing public access permissions or unintended permissions that should be removed.
  10. 5.
    Click on the "Edit" button next to the policy to update it.
  12. 6.
    Modify the policy to restrict access only to authorized AWS users, roles, or accounts.
  14. 7.
    Remove any policy statements that allow public access (* or Public as the principal).
  16. 8.
    Save the updated policy.
  18. 9.
    Verify the new policy and ensure it adheres to your security requirements.
  20. 10.
    Monitor the queue's policy regularly to ensure the access remains restricted.

By following these steps, you can review, troubleshoot, and remediate any publicly accessible SQS queue policy, thus ensuring the security of your sensitive queue data.

Is your System Free of Underlying Vulnerabilities?
Find Out Now