🛡️ AWS SQS Queue policy allows public access🟢

Contextual name: 🛡️ Queue policy allows public access🟢
ID: /ce/ca/aws/sqs/queue-public-policy
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS SQS Queue
- 🔌 AWS SQS Queue - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [SQS.3] SQS queue access policies should not allow public access

Description

Description

This policy identifies Amazon SQS queues whose resource-based policies allow public access to queue messages, queue metadata, or administrative operations.

Rationale

Amazon SQS queues commonly carry application events, workflow instructions, and other operational data. If a queue policy grants public or otherwise overly broad external access, unauthorized parties may be able to send arbitrary messages, read or remove queued messages, or interfere with queue processing.

Public sqs:SendMessage access can be abused to inject malicious or spam messages, trigger downstream workflows, or increase processing costs. Public consumer access, such as sqs:ReceiveMessage, sqs:DeleteMessage, or sqs:ChangeMessageVisibility, can expose message contents, disrupt normal processing, or cause message loss. Administrative permissions, such as sqs:SetQueueAttributes, sqs:DeleteQueue, or sqs:PurgeQueue, can allow an attacker to weaken protections, remove data, or disable the queue entirely.

Access required for AWS services or trusted cross-account integrations should be scoped to explicit principals and restrictive conditions such as aws:SourceArn, aws:SourceAccount, or equivalent account or organization boundaries.

... see more

Remediation

Open File

Remediation

Restrict the Queue Policy

Review the queue policy and remove any statements that grant access to * or to overly broad external principals. Keep access limited to explicitly required AWS accounts, IAM roles, or AWS service principals. When the queue must accept messages from AWS services or trusted external producers or consumers, add restrictive conditions such as aws:SourceArn and aws:SourceAccount.

From Command Line
Retrieve the current queue policy:
aws sqs get-queue-attributes \
    --queue-url {{queue-url}} \
    --attribute-names Policy \
    --query 'Attributes.Policy' \
    --output text > policy.json
Update policy.json and remove or narrow any statements that allow public access.

Ensure that:

the Principal is a specific AWS account, IAM role, or service principal;

the Action list contains only the minimum required sqs: permissions;

service integrations are constrained with conditions such as aws:SourceArn and aws:SourceAccount.
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SQS.3] SQS queue access policies should not allow public access			1		no data
💼 Cloudaware Framework → 💼 Public Data Access			12		no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Remediation​

Remediation​

Restrict the Queue Policy​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Remediation

Remediation

Restrict the Queue Policy

From Command Line

policy.yaml

Linked Framework Sections