SQS queue access policies should not allow public access
Description
This control checks whether an Amazon SQS access policy allows public access to an SQS queue. The control fails if an SQS access policy allows public access to the queue. An Amazon SQS access policy can allow public access to an SQS queue, which might allow an anonymous user or any authenticated AWS IAM identity to access the queue. SQS access policies typically provide this access by specifying the wildcard character (*) in the Principal element of the policy, not using proper conditions to restrict access to the queue, or both. If an SQS access policy allows public access, third parties might be able to perform tasks such as receive messages from the queue, send messages to the queue, or modify the access policy for the queue. This could result in events such as data exfiltration, a denial of service, or injection of messages into the queue by a threat actor.
Remediation
To remediate this issue, update the SQS queue access policy to remove public access permissions. Remove statements that have Principal: '*' without restrictive conditions, or add conditions that limit access to specific AWS accounts or IP addresses.
Steps
- Open the Amazon SQS console.
- Select the SQS queue with the public access policy.
- Go to the 'Access policy' section in the queue's settings.
- Review the policy statements and identify any that have Principal: '*'.
- Either remove these statements or add conditions (such as SourceAccount or SourceArn) to restrict access.
- Save the updated access policy.