Aqua CSPM

SQS Cross Account Access

Quick Info

Plugin TitleSQS Cross Account Access
CloudAWS
CategorySQS
DescriptionEnsures SQS policies disallow cross-account access
More InfoSQS policies should be carefully restricted to prevent publishing or reading from the queue from unexpected sources. Queue policies can be used to limit these privileges.
AWS Linkhttp://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html
Recommended ActionUpdate the SQS policy to prevent access from external accounts.

Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for SQS.
  3. Select the “SQS” queue that needs to be verify from “Name”.
  4. Scroll down the page and click on the “Permissions” tab from the bottom panel.
  5. Check the “Principals” column under “Permissions” and if “Everyobdy” or “AWS Account ID” which does not match any of the trusted AWS account than the selected “SQS” queue cross-account access is not secured.
  6. Repeat steps number 2 - 5 to verify other “SQS” queues in the selected AWS region.
  7. Navigate to “SQS” and choose “SQS” queue that needs to modify to secure the cross-account access and select the “Permissions” tab from the bottom panel.
  8. Click on the pencil icon in the “Permissions” tab to edit the selected “SQS” queue permission.
  9. In the “Add a Permission” dialog box click on the “Deny” option under the “Effect” to explicitly deny permission to the untrusted AWS account ID’s and click on the “Save” button to make the necessary changes.
  10. Repeat steps number 7 - 9 to update the SQS policy to prevent access from external accounts.