Ensure that all your AWS SQS queues are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account entities. Prior to running this rule by the Cloud Conformity engine, you need to provide the ID of each trusted AWS account (e.g. 575392584085) that can access your queues by using the rule settings available on the Cloud Conformity Console.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing untrustworthy cross account access to your SQS queues can lead to unauthorized actions such as intercepting, deleting or sending queue messages without permission. To prevent data leaks, data loss and avoid unexpected costs on your AWS bill, limit access only to the trusted entities by implementing the necessary SQS policies.
Audit
To determine if there are any AWS SQS queues that allow unknown cross account access, perform the following:
Remediation / Resolution
To update your AWS SQS queues permissions in order to allow cross account access only from trusted entities, perform the following:
References
- AWS Documentation
- Amazon SQS FAQs
- Authentication and Access Control for Amazon SQS
- Key Concepts
- Examples of Policies for Delegating Access
- AWS Command Line Interface (CLI) Documentation
- sqs
- list-queues
- get-queue-attributes
- set-queue-attributes
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
SQS Cross Account Access
Risk level: High