Ensure that all your Amazon SQS queues are configured to allow access only to trusted AWS accounts and users in order to protect against unauthorized cross-account access. Before running this rule by the Trend Cloud One™ – Conformity engine, the list with the trusted AWS identities must be configured in the rule settings, on your Conformity account console.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing unknown (unauthorized) AWS accounts and users to access your Amazon SQS queues can lead to unauthorized actions such as intercepting, deleting, or sending queue messages without permission. To prevent data leaks, data loss, and avoid unexpected costs on your AWS bill, limit queue access to trusted entities only by implementing the right permissions.
Audit
To determine if there are any Amazon SQS queues that allow unknown cross-account access in your AWS account, perform the following actions:
Remediation / Resolution
To update your Amazon SQS queue permissions in order to allow cross-account access from trusted entities only, perform the following actions:
References
- AWS Documentation
- Amazon SQS FAQs
- Identity and access management in Amazon SQS
- Using custom policies with the Amazon SQS Access Policy Language
- Examples of policies for delegating access
- AWS Command Line Interface (CLI) Documentation
- sqs
- list-queues
- get-queue-attributes
- set-queue-attributes
- CloudFormation Documentation
- Amazon Simple Queue Service resource type reference
- Terraform Documentation
- AWS Provider