Logo of Trend Micro

SQS Queue Exposed

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: SQS-001

Identify any publicly accessible SQS queues available in your AWS account and update their permissions in order to protect against unauthorized users.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Allowing anonymous users to have access to your SQS queues can lead to unauthorized actions such as intercepting, deleting and sending queue messages. One common scenario is when the queue owner grants permissions to everyone by setting the Principal to “Everybody (*)” while testing the queue system configuration and the insecure set of permissions reach into production. To avoid data leakage and unexpected costs on your AWS bill, limit access to your queues by implementing the necessary policies.

Audit

To determine if there are any exposed SQS queues available in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.

03 Select the SQS queue that you want to examine.

04 Select the Permissions tab from the bottom panel.

05 Under Add a Permission search for any policies applied to the selected queue:

  1. If there are no custom policies created: If there are no custom policies created, only the queue owner has access to it.
  2. If one or more custom policies are assigned, identify the configuration where the Principal element is set to Everybody (*). If the Effect element value is Allow and the Principals is set to Everybody (*) without any values set for Conditions (None): If the Effect element value is Allow and the Principals is set to Everybody without any values set for Conditions (None), the queue is exposed to anonymous access.

06 Repeat step no. 3 – 5 for each SQS queue available in the current AWS region. Change the AWS region from the navigation bar to repeat the process for the other regions.

Using AWS CLI

01 Run list-queues command (OSX/Linux/UNIX) to expose all SQS queues available in the selected region and their URLs:

aws sqs list-queues 
	--region us-east-1

02 The command output should return each SQS queue URL: 

{
    "QueueUrls": [
        "https://queue.amazonaws.com/123456789012/MyWebMobileQueue",
        "https://queue.amazonaws.com/123456789012/MyWorkerAppQueue"
    ]
}

03 Run get-queue-attributes command (OSX/Linux/UNIX) to return the selected SQS queue policy using its full URL for identification: 

aws sqs get-queue-attributes
	--region us-east-1
	--queue-url https://queue.amazonaws.com/123456789012/MyWebMobileQueue
	--attribute-names Policy

04 The command output should return the queue policy document: 

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:123456789012:MyWebMobileQueue/MySQsPolicy",
  "Statement": [
    {
      "Sid": "Sid1461320167486",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "SQS:SendMessage",
        "SQS:ReceiveMessage",
        "SQS:DeleteMessage",
        "SQS:PurgeQueue"
      ],
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyWebMobileQueue"
    }
  ]
}

If the policy document returned contains Principal elements that grant permissions to everyone: e.g. “Principal”: “*” without using Condition clauses (IP based, time interval, etc) to restrict the user access, the SQS queue is exposed to anonymous access at any time.

Remediation / Resolution

To update the custom policies and set the appropriate permissions to secure any exposed SQS queues, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.

03 Select the SQS queue that you want to examine.

04 Select the Permissions tab from the bottom panel.

05 Click the pencil icon:

to edit the selected queue policy.

06 In the Add a Permission to <queue name>, perform the following:

  1. Under Effect section, select Allow or Deny to explicitly grant or deny permission to a specified user (principal).
  2. Under Principal section, uncheck Everybody (*) checkbox and enter the AWS account ID of the person allowed or denied (based on your access requirements). Multiple accounts can be added (can be another AWS account or an IAM user).
  3. Under Actions section, click the dropdown list to select or deselect AWS SQS requests that the principal is allowed or not to make. To select the entire list of request actions check All SQS Actions (SQS:*).
  4. (Optional) Click Add Conditions (optional) to express any additional restrictions in order to fine filter the queue permissions.

07 Click Save Changes to update the policy.

08 Repeat step no. 3 – 7 for each SQS queue available in the current AWS region. Change the AWS region from the navigation bar to repeat the process for the other regions.

Using AWS CLI

01 Run list-queues command (OSX/Linux/UNIX) to expose all SQS queues available in the selected region and their URLs: 

aws sqs list-queues 
	--region us-east-1

02 The command output should return each SQS queue URL: 

{
    "QueueUrls": [
        "https://queue.amazonaws.com/123456789012/MyWebMobileQueue",
        "https://queue.amazonaws.com/123456789012/MyWorkerAppQueue"
    ]
}

03 Run get-queue-attributes command (OSX/Linux/UNIX) to return the selected SQS queue policy using its full URL for identification: 

aws sqs get-queue-attributes
	--region us-east-1
	--queue-url https://queue.amazonaws.com/123456789012/MyWebMobileQueue
	--attribute-names Policy

04 The command output should return the queue policy document: 

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:123456789012:MyWebMobileQueue/MySQsPolicy",
  "Statement": [
    {
      "Sid": "Sid1461320167486",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "SQS:SendMessage",
        "SQS:ReceiveMessage",
        "SQS:DeleteMessage",
        "SQS:PurgeQueue"
      ],
      "Resource": "arn:aws:sqs:us-east-1:123456789012:MyWebMobileQueue"
    }
  ]
}

05 Run remove-permission command (OSX/Linux/UNIX) to remove a certain statement from the selected SQS queue policy. The following example removes a policy statement labeled SendMobileMessages from the SQS queue with the URL https://queue.amazonaws.com/123456789012/MyWebMobileQueue (the command does not return any output): 

aws sqs remove-permission
	--region us-east-1
	--queue-url https://queue.amazonaws.com/123456789012/MyWebMobileQueue
	--label SendMobileMessages

06 Run add-permission command (OSX/Linux/UNIX) to add a new statement to the selected queue policy. The following example add a policy statement labeled SendWebAppMessages that grants permission to the user with the ID 123456789012 to send messages to the specified SQS queue with the URL https://queue.amazonaws.com/123456789012/MyWebMobileQueue (the command does not return any output): 

aws sqs add-permission
	--region us-east-1
	--queue-url https://queue.amazonaws.com/123456789012/MyWebMobileQueue
	--label SendWebAppMessages
	--aws-account-ids 123456789012
	--actions SendMessage

References

Publication date Apr 23, 2016

Related SQS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

SQS Queue Exposed

Risk level: High