Open menu
-->

AWS SQS exposed queues

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 10 November 2017
Security

Risk level: High (act today)

Identify any publicly accessible SQS queues available in your AWS account and update their permissions in order to protect against unauthorized users.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Allowing anonymous users to have access to your SQS queues can lead to unauthorized actions such as intercepting, deleting and sending queue messages. One common scenario is when the queue owner grants permissions to everyone by setting the Principal to “Everybody (*)” while testing the queue system configuration and the insecure set of permissions reach into production. To avoid data leakage and unexpected costs on your AWS bill, limit access to your queues by implementing the necessary policies.

Audit

To determine if there are any exposed SQS queues available in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.

03 Select the SQS queue that you want to examine.

04 Select the Permissions tab from the bottom panel.

05 Under Add a Permission search for any policies applied to the selected queue:

  1. If there are no custom policies created: If there are no custom policies created, only the queue owner has access to it.
  2. If one or more custom policies are assigned, identify the configuration where the Principal element is set to Everybody (*). If the Effect element value is Allow and the Principals is set to Everybody (*) without any values set for Conditions (None): If the Effect element value is Allow and the Principals is set to Everybody without any values set for Conditions (None), the queue is exposed to anonymous access.

06 Repeat step no. 3 – 5 for each SQS queue available in the current AWS region. Change the AWS region from the navigation bar to repeat the process for the other regions.

Using AWS CLI

01 Run list-queues command (OSX/Linux/UNIX) to expose all SQS queues available in the selected region and their URLs:

aws sqs list-queues 
	--region us-east-1

02 The command output should return each SQS queue URL:

{
    "QueueUrls": [
        "https://queue.amazonaws.com/123456789012/MyWebMobileQueue",
        "https://queue.amazonaws.com/123456789012/MyWorkerAppQueue"
    ]
}

03 Run get-queue-attributes command (OSX/Linux/UNIX) to return the selected SQS queue policy using its full URL for identification:

aws sqs get-queue-attributes
	--region us-east-1
	--queue-url https://queue.amazonaws.com/123456789012/MyWebMobileQueue
	--attribute-names Policy

04 The command output should return the queue policy document:

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:123456789012:MyWebMobileQueue/MySQsPolicy",
  "Statement": [
    {
      "Sid": "Sid1461320167486",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "SQS:SendMessage",
        "SQS:ReceiveMessage",
        "SQS:DeleteMessage",
        "SQS:PurgeQueue"
      ],
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyWebMobileQueue"
    }
  ]
}

If the policy document returned contains Principal elements that grant permissions to everyone: e.g. “Principal”: “*” without using Condition clauses (IP based, time interval, etc) to restrict the user access, the SQS queue is exposed to anonymous access at any time.

Remediation / Resolution

To update the custom policies and set the appropriate permissions to secure any exposed SQS queues, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.

03 Select the SQS queue that you want to examine.

04 Select the Permissions tab from the bottom panel.

05 Click the pencil icon:

to edit the selected queue policy.

06 In the Add a Permission to <queue name>, perform the following:

  1. Under Effect section, select Allow or Deny to explicitly grant or deny permission to a specified user (principal).
  2. Under Principal section, uncheck Everybody (*) checkbox and enter the AWS account ID of the person allowed or denied (based on your access requirements). Multiple accounts can be added (can be another AWS account or an IAM user).
  3. Under Actions section, click the dropdown list to select or deselect AWS SQS requests that the principal is allowed or not to make. To select the entire list of request actions check All SQS Actions (SQS:*).
  4. (Optional) Click Add Conditions (optional) to express any additional restrictions in order to fine filter the queue permissions.

07 Click Save Changes to update the policy.

08 Repeat step no. 3 – 7 for each SQS queue available in the current AWS region. Change the AWS region from the navigation bar to repeat the process for the other regions.

Using AWS CLI

01 Run list-queues command (OSX/Linux/UNIX) to expose all SQS queues available in the selected region and their URLs:

aws sqs list-queues 
	--region us-east-1

02 The command output should return each SQS queue URL:

{
    "QueueUrls": [
        "https://queue.amazonaws.com/123456789012/MyWebMobileQueue",
        "https://queue.amazonaws.com/123456789012/MyWorkerAppQueue"
    ]
}

03 Run get-queue-attributes command (OSX/Linux/UNIX) to return the selected SQS queue policy using its full URL for identification:

aws sqs get-queue-attributes
	--region us-east-1
	--queue-url https://queue.amazonaws.com/123456789012/MyWebMobileQueue
	--attribute-names Policy

04 The command output should return the queue policy document:

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:123456789012:MyWebMobileQueue/MySQsPolicy",
  "Statement": [
    {
      "Sid": "Sid1461320167486",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "SQS:SendMessage",
        "SQS:ReceiveMessage",
        "SQS:DeleteMessage",
        "SQS:PurgeQueue"
      ],
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyWebMobileQueue"
    }
  ]
}

05 Run remove-permission command (OSX/Linux/UNIX) to remove a certain statement from the selected SQS queue policy. The following example removes a policy statement labeled SendMobileMessages from the SQS queue with the URL https://queue.amazonaws.com/123456789012/MyWebMobileQueue (the command does not return any output):

aws sqs remove-permission
	--region us-east-1
	--queue-url https://queue.amazonaws.com/123456789012/MyWebMobileQueue
	--label SendMobileMessages

06 Run add-permission command (OSX/Linux/UNIX) to add a new statement to the selected queue policy. The following example add a policy statement labeled SendWebAppMessages that grants permission to the user with the ID 123456789012 to send messages to the specified SQS queue with the URL https://queue.amazonaws.com/123456789012/MyWebMobileQueue (the command does not return any output):

aws sqs add-permission
	--region us-east-1
	--queue-url https://queue.amazonaws.com/123456789012/MyWebMobileQueue
	--label SendWebAppMessages
	--aws-account-ids 123456789012
	--actions SendMessage

References

Publication date Apr 23, 2016