SQS Queues Should Not Be Publicly Exposed

More Info:

There should not be any publicly accessible SQS queues available in your AWS account in order to protect against unauthorized users. Unauthorized access can lead to unauthorized actions such as intercepting, deleting and sending queue messages.

Risk Level

High

Address

Reliability, Security

Compliance Standards

PCIDSS, GDPR, APRA, MAS

Triage and Remediation

Remediation

Using Console

Using CLI

Sure, here are the step-by-step instructions to remediate this issue using AWS CLI:

Identify the publicly exposed SQS queue: First, you need to identify the SQS queues that are publicly exposed. You can do this by using the following command:

aws sqs list-queues

This command will list all the SQS queues in your AWS account.

Get the SQS queue’s policy: Once you have identified the SQS queue, you need to check its policy. You can do this by using the following command:

aws sqs get-queue-attributes --queue-url <Your-Queue-URL> --attribute-names Policy

Replace <Your-Queue-URL> with your actual SQS queue URL. This command will display the policy of the SQS queue.

Identify the issue in the policy: Check if the policy has “Principal”: ”*” with “Effect”: “Allow”. This means the SQS queue is publicly accessible.
Modify the policy: You need to remove the public access from the policy. You can do this by removing the statement with “Principal”: ”*” and “Effect”: “Allow”. Make sure you do not remove other statements that are needed for your application to function properly.
Set the new policy: Once you have modified the policy, you need to set it back to the SQS queue. You can do this by using the following command:

aws sqs set-queue-attributes --queue-url <Your-Queue-URL> --attributes Policy=<Your-New-Policy>

Replace <Your-Queue-URL> with your actual SQS queue URL, and <Your-New-Policy> with your new policy.

Verify the changes: Finally, verify if the changes have been applied properly. You can do this by getting the SQS queue’s policy again and checking if the public access has been removed.

Please remember to replace the placeholders with your actual values. Also, make sure you have the necessary permissions to perform these actions.

Using Python

To remediate the misconfiguration of SQS Queues being publicly exposed, you can use Boto3, the Amazon Web Services (AWS) SDK for Python. Here are the step-by-step instructions:

First, make sure you have installed the AWS SDK for Python (Boto3). If not, install it using pip:
```
pip install boto3
```

Import the necessary libraries:

import boto3
from botocore.exceptions import NoCredentialsError

Create a session using your AWS credentials. Replace ‘your_access_key’, ‘your_secret_key’, and ‘your_region’ with your AWS access key, secret key, and the region your SQS queue is in, respectively:
```
session = boto3.Session(
    aws_access_key_id='your_access_key',
    aws_secret_access_key='your_secret_key',
    region_name='your_region'
)
```
Create a client for SQS:
```
sqs = session.client('sqs')
```
Get the URL of the SQS queue. Replace ‘your_queue_name’ with the name of your queue:
```
response = sqs.get_queue_url(QueueName='your_queue_name')
queue_url = response['QueueUrl']
```

Get the current policy of the SQS queue:

current_policy = sqs.get_queue_attributes(
    QueueUrl=queue_url,
    AttributeNames=['Policy']
)

Check if the policy allows everyone to send messages to the queue. If it does, modify the policy to only allow specific AWS accounts or IAM users to send messages to the queue. Here’s an example of a policy that only allows a specific AWS account to send messages:

new_policy = {
    "Version": "2012-10-17",
    "Id": "MyQueuePolicy",
    "Statement": [
        {
            "Sid": "AllowSpecificAWSAccount",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::YourAWSAccountID:root"
            },
            "Action": "sqs:SendMessage",
            "Resource": "arn:aws:sqs:region:YourAWSAccountID:YourQueueName"
        }
    ]
}

Set the new policy:

sqs.set_queue_attributes(
    QueueUrl=queue_url,
    Attributes={
        'Policy': json.dumps(new_policy)
    }
)

Finally, handle any exceptions that may occur during the process:

try:
    # Your code here
except NoCredentialsError:
    print("No AWS credentials found.")
except Exception as e:
    print(f"An error occurred: {e}")

Please replace ‘YourAWSAccountID’, ‘region’, and ‘YourQueueName’ with your AWS account ID, the region your SQS queue is in, and the name of your queue, respectively.This will change your SQS queue’s policy to only allow a specific AWS account to send messages to it, thus remediating the misconfiguration.

Additional Reading:

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

SQS Queues Should Not Be Publicly Exposed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: