Use the Conformity Knowledge Base AI to help improve your Cloud Posture

SQS Cross Account Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: SQS-002

Ensure that all your Amazon SQS queues are configured to allow access only to trusted AWS accounts and users in order to protect against unauthorized cross-account access. Before running this rule by the Trend Cloud One™ – Conformity engine, the list with the trusted AWS identities must be configured in the rule settings, on your Conformity account console.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Allowing unknown (unauthorized) AWS accounts and users to access your Amazon SQS queues can lead to unauthorized actions such as intercepting, deleting, or sending queue messages without permission. To prevent data leaks, data loss, and avoid unexpected costs on your AWS bill, limit queue access to trusted entities only by implementing the right permissions.


Audit

To determine if there are any Amazon SQS queues that allow unknown cross-account access in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SQS console at https://console.aws.amazon.com/sqs/.

03 In the main navigation panel, under Amazon SQS, choose Queues.

04 Click on the name (link) of the SQS queue that you want to examine.

05 Select the Access policy tab from the console bottom panel to access the permissions defined for the selected queue.

06 Within the Access policy (Permissions) box, identify the "Principal" element defined for each policy statement and check the element value (i.e. ARN).

07 Sign in to your Trend Cloud One™ – Conformity account, access the Unknown SQS Cross-Account Access conformity rule settings, and compare the ARN(s) identified at the previous step against each AWS account ARN defined in the rule configuration section. If one or more ARNs are not included in the list of trusted AWS identities specified in the conformity rule settings, the cross-account access configuration defined for the selected Amazon SQS queue is not secure.

08 Repeat steps no. 4 – 7 for each Amazon SQS queue available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-queues command (OSX/Linux/UNIX) to list the URLs of all SQS queues available in the selected AWS region:Run list-queues command (OSX/Linux/UNIX) to list the URL of each Amazon SQS queue available in the selected AWS cloud region:

aws sqs list-queues
  --region us-east-1
  --query 'QueueUrls[*]'

02 The command output should return an array with the requested SQS queue URLs:

[
    "https://sqs.us-east-1.amazonaws.com/123456789012/cc-web-app-worker",
    "https://sqs.us-east-1.amazonaws.com/123456789012/cc-mobile-app-queue"
]

03 Run get-queue-attributes command (OSX/Linux/UNIX) using the URL of the SQS queue that you want to examine as the identifier parameter and custom query filters to describe the access policy defined for the selected SQS queue:

aws sqs get-queue-attributes
  --region us-east-1
  --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/cc-web-app-worker
  --attribute-names "Policy"
  --query 'Attributes.Policy'

04 The command output should return the requested policy document:

{
  "Version": "2012-10-17",
  "Id": "cross-account-access",
  "Statement": [
    {
      "Sid": "owner-statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111222333444:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:123456789012:cc-web-app-worker"
    }
  ]
}

Identify the "Principal" element defined for each policy statement and check the element value (ARN – highlighted).

05 Sign in to your Trend Cloud One™ – Conformity account, access the Unknown SQS Cross-Account Access conformity rule settings, and compare the ARN(s) identified at the previous step against each AWS account ARN defined in the rule configuration section. If one or more ARNs are not included in the list of trusted AWS identities specified in the conformity rule settings, the cross-account access configuration defined for the selected Amazon SQS queue is not secure.

06 Repeat steps no. 3 – 5 for each Amazon SQS queue available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the Audit process for other regions.

Remediation / Resolution

To update your Amazon SQS queue permissions in order to allow cross-account access from trusted entities only, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Allow cross-account access from trusted entities only",
	"Parameters": {
		"SQSQueueName": {
			"Default": "cc-worker-queue",
			"Description": "SQS Worker Queue",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "63",
			"AllowedPattern": "^[0-9a-zA-Z-/]*$",
			"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
		}
	},
	"Resources": {
		"SQSDeadLetterQueue": {
			"Type": "AWS::SQS::Queue"
		},
		"SQSSourceQueue": {
			"Type": "AWS::SQS::Queue",
			"Properties": {
			"QueueName": {
				"Ref": "SQSQueueName"
			},
			"RedrivePolicy": {
				"deadLetterTargetArn": {
				"Fn::GetAtt": ["SQSDeadLetterQueue", "Arn"]
				},
				"maxReceiveCount": 5
			}
			}
		},
		"SQSAccessPolicy" : {
		"Type" : "AWS::SQS::QueuePolicy",
		"Properties" : {
			"PolicyDocument": {
			"Version": "2012-10-17",
			"Id": "cross-account-access",
			"Statement": [
				{
				"Sid": "owner-statement",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123412341234:root"
				},
				"Action": "SQS:*",
				"Resource": "arn:aws:sqs:us-east-1:123456789012:cc-worker-queue"
				}
			]
			},
			"Queues":  [{
				"Ref": "SQSSourceQueue"
			}]
		}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Allow cross-account access from trusted entities only
	Parameters:
		SQSQueueName:
		Default: cc-worker-queue
		Description: SQS Worker Queue
		Type: String
		MinLength: '1'
		MaxLength: '63'
		AllowedPattern: ^[0-9a-zA-Z-/]*$
		ConstraintDescription: Must begin with a letter and must not end with a hyphen
			or contain two consecutive hyphens.
	Resources:
		SQSDeadLetterQueue:
		Type: AWS::SQS::Queue
		SQSSourceQueue:
		Type: AWS::SQS::Queue
		Properties:
			QueueName: !Ref 'SQSQueueName'
			RedrivePolicy:
			deadLetterTargetArn: !GetAtt 'SQSDeadLetterQueue.Arn'
			maxReceiveCount: 5
		SQSAccessPolicy:
		Type: AWS::SQS::QueuePolicy
		Properties:
			PolicyDocument:
			Version: '2012-10-17'
			Id: cross-account-access
			Statement:
				- Sid: owner-statement
				Effect: Allow
				Principal:
					AWS: arn:aws:iam::123412341234:root
				Action: SQS:*
				Resource: arn:aws:sqs:us-east-1:123456789012:cc-worker-queue
			Queues:
			- !Ref 'SQSSourceQueue'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_sqs_queue" "sqs-queue-deadletter" {
	name = "cc-dead-letter-queue"
}

resource "aws_sqs_queue" "sqs-queue" {
	name                  = "sqs-worker-queue"
	redrive_policy = jsonencode({
		deadLetterTargetArn = aws_sqs_queue.sqs-queue-deadletter.arn
		maxReceiveCount     = 5
	})
}

# Allow cross-account access from trusted entities only
resource "aws_sqs_queue_policy" "sqs-queue-policy" {
	queue_url = aws_sqs_queue.sqs-queue.id
	policy = <<POLICY
	{
		"Version": "2012-10-17",
		"Id": "cross-account-access",
		"Statement": [
			{
				"Sid": "owner-statement",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123412341234:root"
				},
				"Action": "SQS:*",
				"Resource": "arn:aws:sqs:us-east-1:123456789012:cc-worker-queue"
			}
		]
	}
	POLICY
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SQS console at https://console.aws.amazon.com/sqs/.

03 In the main navigation panel, under Amazon SQS, choose Queues.

04 Click on the name (link) of the SQS queue that you want to reconfigure.

05 Select the Access policy tab from the console bottom panel and choose Edit.

06 On the Edit <queue-name> configuration page, within the Access policy section, replace the ARN of the unauthorized principal, available in the Principal box, with the ARN of the trusted principal (AWS account) defined in the conformity rule settings. Choose Save to apply the permission changes.

07 Repeat steps no. 4 – 6 for other Amazon SQS queues available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Modify the access policy attached to your Amazon SQS queue and replace the unknown (untrusted) AWS identities with the trusted ones (as specified in the conformity rule settings), then save the policy document to a JSON file named cross-account-access-policy.json. The following example contains an SQS queue access policy that allows cross-account access to another (trusted) AWS account identified by the ARN "arn:aws:iam::123412341234:root" (highlighted):

{
"Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"cross-account-access\",\"Statement\":[{\"Sid\":\"owner-statement\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123412341234:root\"},\"Action\":\"SQS:*\",\"Resource\":\"arn:aws:sqs:us-east-1:123456789012:cc-web-app-worker\"}]}"
}

02 Run set-queue-attributes command (OSX/Linux/UNIX) using the URL of the Amazon SQS queue that you want to reconfigure as the identifier parameter to replace the existing access policy with the one modified at the previous step (i.e. cross-account-access-policy.json):

aws sqs set-queue-attributes
  --region us-east-1
  --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/cc-web-app-worker
  --attributes file://cross-account-access-policy.json

03 Repeat steps no. 1 and 2 for other Amazon SQS queues available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Sep 10, 2016