Skip to main content

More Info:

AWS SQS queues should be configured to use a Dead Letter Queue (DLQ) in order to help maintain the queue flow and avoid losing data by detecting and mitigating failures and service disruptions on time.

Risk Level

Low

Address

Reliability, Operational Maturity

Compliance Standards

NIST

Triage and Remediation

Remediation

Using Console

Step 1: Login to AWS Console First, sign in to your AWS Management Console.Step 2: Navigate to Simple Queue Service (SQS) On the AWS Management Console, find the “Services” dropdown on the top left corner. Click on it and search for “SQS”. Click on the “SQS” service to navigate to the Simple Queue Service (SQS) dashboard.Step 3: Select the Queue On the SQS dashboard, you will see a list of all your SQS queues. Click on the queue for which you want to configure a Dead Letter Queue.Step 4: Configure Queue Redrive Policy On the queue’s detail page, click on the “Edit Redrive Policy” button.Step 5: Specify Dead Letter Queue In the “Redrive Policy” section, click on “Specify Dead Letter Queue”. A dropdown will appear, select the queue that you want to use as the dead letter queue. If you have not created a dead letter queue yet, you will need to create one before you can select it.Step 6: Specify Maximum Receives In the “Maximum Receives” field, specify the maximum number of times a message can be received before it is sent to the dead letter queue.Step 7: Save Changes Click on the “Save Changes” button to save the redrive policy.Now, your SQS queue is configured with a dead letter queue. Any message that is received more than the specified maximum number of times will be automatically sent to the dead letter queue.
Here’s how you can remediate the misconfiguration:
  1. Open the AWS CLI on your local machine. If it’s not installed, you can download it from the AWS official website and install it.
  2. Configure your AWS CLI with your AWS account. You can do this by running the command aws configure and then entering your Access Key ID, Secret Access Key, Default region name, and Default output format.
  3. Before you can set a Dead Letter Queue, you need to create one. Run the following command to create a new SQS queue which will act as your Dead Letter Queue: 
    aws sqs create-queue --queue-name MyDeadLetterQueue
    This will return a JSON response with the URL of the newly created queue. Save this URL as you will need it in the next steps.
  4. Now, you need to get the ARN (Amazon Resource Name) of the Dead Letter Queue. Run the following command: 
    aws sqs get-queue-attributes --queue-url [URL of your Dead Letter Queue] --attribute-names QueueArn
    Replace [URL of your Dead Letter Queue] with the URL you got from step 3. This will return the ARN of your Dead Letter Queue.
  5. Now, you can set the Dead Letter Queue for your main SQS queue. Run the following command: 
    aws sqs set-queue-attributes --queue-url [URL of your main SQS Queue] --attributes RedrivePolicy='{"deadLetterTargetArn":"[ARN of your Dead Letter Queue]","maxReceiveCount":"10"}'
    Replace [URL of your main SQS Queue] with the URL of your main SQS queue and [ARN of your Dead Letter Queue] with the ARN you got from step 4.
  6. Your main SQS queue is now configured with a Dead Letter Queue. Any messages that are not processed after 10 receive attempts will be sent to the Dead Letter Queue.
Remember to replace the placeholders in the commands with your actual values. Also, the number “10” in the maxReceiveCount attribute is just an example, you can set it to any number according to your requirements.
Here’s a step by step guide on how to remediate this AWS SQS misconfiguration using Python:
  1. First, you need to install the AWS SDK for Python (Boto3). You can do this using pip:
pip install boto3
  1. Import the necessary libraries and initialize the SQS client:
import boto3

sqs = boto3.client('sqs')
  1. Now, create a new SQS queue that will be used as the Dead Letter Queue (DLQ):
response = sqs.create_queue(
    QueueName='MyDeadLetterQueue',
    Attributes={
        'DelaySeconds': '60',
        'MessageRetentionPeriod': '86400'
    }
)

dlq_url = response['QueueUrl']
  1. Get the ARN of the DLQ:
response = sqs.get_queue_attributes(
    QueueUrl=dlq_url,
    AttributeNames=[
        'QueueArn'
    ]
)

dlq_arn = response['Attributes']['QueueArn']
  1. Setup the Redrive Policy for the main queue:
redrive_policy = {
    'deadLetterTargetArn': dlq_arn,
    'maxReceiveCount': '10'
}

main_queue_url = 'https://sqs.us-east-1.amazonaws.com/123456789012/MyMainQueue'

response = sqs.set_queue_attributes(
    QueueUrl=main_queue_url,
    Attributes={
        'RedrivePolicy': json.dumps(redrive_policy)
    }
)
This will set up the main queue to move messages to the DLQ after they have been received 10 times.Please note that you need to replace 'https://sqs.us-east-1.amazonaws.com/123456789012/MyMainQueue' with the URL of your main SQS queue. Also, you may need to adjust the DelaySeconds, MessageRetentionPeriod, and maxReceiveCount values to fit your specific needs.

Additional Reading: