Ensure that all your AWS SQS queues are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account entities. Prior to running this rule by the Cloud Conformity engine, you need to provide the ID of each trusted AWS account (e.g. 575392584085) that can access your queues by using the rule settings available on the Cloud Conformity Console.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing untrustworthy cross account access to your SQS queues can lead to unauthorized actions such as intercepting, deleting or sending queue messages without permission. To prevent data leaks, data loss and avoid unexpected costs on your AWS bill, limit access only to the trusted entities by implementing the necessary SQS policies.
Audit
To determine if there are any AWS SQS queues that allow unknown cross account access, perform the following:
Remediation / Resolution
To update your AWS SQS queues permissions in order to allow cross account access only from trusted entities, perform the following:
References
- AWS Documentation
- Amazon SQS FAQs
- Authentication and Access Control for Amazon SQS
- Key Concepts
- Examples of Policies for Delegating Access
- AWS Command Line Interface (CLI) Documentation
- sqs
- list-queues
- get-queue-attributes
- set-queue-attributes
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
SQS Cross Account Access
Risk level: High