Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that all your AWS SQS queues are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account entities. Prior to running this rule by the Cloud Conformity engine, you need to provide the ID of each trusted AWS account (e.g. 575392584085) that can access your queues by using the rule settings available on the Cloud Conformity Console.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Security
Allowing untrustworthy cross account access to your SQS queues can lead to unauthorized actions such as intercepting, deleting or sending queue messages without permission. To prevent data leaks, data loss and avoid unexpected costs on your AWS bill, limit access only to the trusted entities by implementing the necessary SQS policies.
To determine if there are any AWS SQS queues that allow unknown cross account access, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.
03 Select the SQS queue that you want to examine.
04 Select the Permissions tab from the bottom panel.
05 In the Principals column of each policy statement, identify the AWS account ID e.g.
available within each principal Amazon Resource Name (ARN).
06 Sign in to your Cloud Conformity Console, access the SQS Cross Account Access conformity rule settings and compare the AWS account ID(s) found at the previous step against each ID listed within the rule configuration section. If the identity (account) ID selected does not match any of the trusted entities IDs listed on your Cloud Conformity Console, the cross account access to the AWS SQS queue is not secured.
07 Repeat steps no. 3 – 6 for each SQS queue available in the current AWS region.
08 Change the AWS region from the navigation bar to repeat the process for other regions.
To update your AWS SQS queues permissions in order to allow cross account access only from trusted entities, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.
03 Select the SQS queue that you want to update.
04 Select the Permissions tab from the bottom panel.
05 Identify each insecure policy statement (see Audit section part I) and click the pencil icon:
to edit the selected policy statement. You can also open and edit directly the entire policy document by using the Edit Policy Document (Advanced) button.
06 Inside the Add a Permission to <queue name> dialog box, select Deny to explicitly deny the access to the specified principal, which represents the untrustworthy AWS account. If you choose to edit the queue policy document directly, just change the Effect property value to Deny for the unsafe principal(s) available then click Review Policy.
07 Click Save Changes to update the selected policy statement.
08 Repeat step no. 3 – 7 for each SQS queue that you want to update, available in the current AWS region.
09 Change the AWS region from the navigation bar to repeat the entire process for other regions.
Unlock the Remediation Steps
Gain free unlimited access to our full Knowledge Base
Over 600 rules & best practices for 
and 
Get started for FREE
Thank you!
Please click the link in the confirmation email sent to
You are auditing:
SQS Cross Account Access
Risk level: High
|