Skip to content

Latest commit

 

History

History
26 lines (22 loc) · 2.09 KB

sqs-cross-account-access.md

File metadata and controls

26 lines (22 loc) · 2.09 KB

CloudSploit

AWS / SQS / SQS Cross Account Access

Quick Info

Plugin Title SQS Cross Account Access
Cloud AWS
Category SQS
Description Ensures SQS policies disallow cross-account access
More Info SQS policies should be carefully restricted to prevent publishing or reading from the queue from unexpected sources. Queue policies can be used to limit these privileges.
AWS Link http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html
Recommended Action Update the SQS policy to prevent access from external accounts.

Detailed Remediation Steps

  1. Log in to the AWS Management Console.
  2. Select the "Services" option and search for SQS.
  3. Select the "SQS" queue that needs to be verified by clicking on its "Name".
  4. Scroll down the page and click on the "Access Policy" tab from the bottom panel.
  5. Check the "Principal" key under "Access policy (Permissions)" and if set to "*" or an "AWS Account ID" which does not match any of the trusted AWS accounts then the selected "SQS" queue cross-account access is not secured.
  6. To edit the selected "SQS" queue permission click on "Edit button".
  7. On the "Edit Queue" page scroll down to "Access policy" and change the "Principal" value from Everyone(*) to relevant AWS Account Id.
  8. Click on the "Save" button to make the necessary changes.
  9. Repeat steps number 3 - 8 to update the SQS policy to prevent access from external accounts.