SQS Cross Account Access

Ensures SQS policies disallow cross-account access

SQS policies should be carefully restricted to prevent publishing or reading from the queue from unexpected sources. Queue policies can be used to limit these privileges.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the AWS Management Console.

  2. Select the “Services” option and search for SQS. Step

  3. Select the “SQS” queue that needs to be verify from “Name”.Step

  4. Scroll down the page and click on the “Permissions” tab from the bottom panel.Step

  5. Check the “Principals” column under “Permissions” and if “Everyobdy” or “AWS Account ID” which does not match any of the trusted AWS account than the selected “SQS” queue cross-account access is not secured.Step

  6. Repeat steps number 2 - 5 to verify other “SQS” queues in the selected AWS region.

  7. Navigate to “SQS” and choose “SQS” queue that needs to modify to secure the cross-account access and select the “Permissions” tab from the bottom panel. Step

  8. Click on the pencil icon in the “Permissions” tab to edit the selected “SQS” queue permission.Step

  9. In the “Add a Permission” dialog box click on the “Deny” option under the “Effect” to explicitly deny permission to the untrusted AWS account ID’s and click on the “Save” button to make the necessary changes.Step

  10. Repeat steps number 7 - 9 to update the SQS policy to prevent access from external accounts.