Plugin Title SQS Cross Account Access
Cloud AWS
Category SQS
Description Ensures SQS policies disallow cross-account access
More Info SQS policies should be carefully restricted to prevent publishing or reading from the queue from unexpected sources. Queue policies can be used to limit these privileges.
AWS Link http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html
Recommended Action Update the SQS policy to prevent access from external accounts.


Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the "Services" option and search for SQS.
  3. Select the "SQS" queue that needs to be verify from "Name".
  4. Scroll down the page and click on the "Permissions" tab from the bottom panel.
  5. Check the "Principals" column under "Permissions" and if "Everyobdy" or "AWS Account ID" which does not match any of the trusted AWS account than the selected "SQS" queue cross-account access is not secured.
  6. Repeat steps number 2 - 5 to verify other "SQS" queues in the selected AWS region.
  7. Navigate to "SQS" and choose "SQS" queue that needs to modify to secure the cross-account access and select the "Permissions" tab from the bottom panel.
  8. Click on the pencil icon in the "Permissions" tab to edit the selected "SQS" queue permission.
  9. In the "Add a Permission" dialog box click on the "Deny" option under the "Effect" to explicitly deny permission to the untrusted AWS account ID's and click on the "Save" button to make the necessary changes.
  10. Repeat steps number 7 - 9 to update the SQS policy to prevent access from external accounts.

Want to scan for this risk automatically?

Get Started Now