More Info:
AWS SQS queues should be configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account entities.Risk Level
HighAddress
SecurityCompliance Standards
PCIDSS, APRA, MAS, NISTTriage and Remediation
Remediation
Using Console
Using Console
To remediate this issue, you need to modify the permissions for the SQS queue to disallow cross-account access. Follow these steps:
- Log in to the AWS Management Console and open the Amazon SQS console at https://console.aws.amazon.com/sqs/.
- In the navigation pane, choose “Queues”.
- In the list of queues, choose the name of the queue you want to modify.
- Choose the “Permissions” tab.
- You will see a list of all the permissions currently set for this queue. Look for any permissions that allow cross-account access. These will be permissions where the AWS account ID specified is not the same as your own account ID.
- To delete a permission, choose the “Remove” button next to it. Confirm the deletion when prompted.
- Repeat this process for all permissions that allow cross-account access.
- Once done, check the permissions list to ensure there are no longer any permissions allowing cross-account access.
- If you need to allow specific accounts to access your queue, you can add those permissions back individually, specifying the exact AWS account ID for each account you want to allow.
- Make sure to review your changes and save them.
Using CLI
Using CLI
To remediate this misconfiguration, you need to modify the SQS policy to restrict access to the specific AWS accounts that need access to the queue. Here are the steps:Replace [QUEUE_URL] with your queue URL.Replace Replace [QUEUE_URL] with your queue URL.Replace [QUEUE_URL] with your queue URL.The output should reflect the changes you made to the policy. Now the SQS queue should not allow cross-account access.
- First, you need to identify the queue URL. You can list all the SQS queues in your AWS account with the following command:
- Once you’ve identified the queue URL, you can retrieve the current policy:
-
Save the output of the above command to a JSON file, for example,
policy.json. -
Edit the
policy.jsonfile to remove the cross-account access. The policy should look something like this:
<your-account-id>, <region>, and <queue-name> with your account ID, the AWS region, and the queue name respectively.- Now, set the new policy to the SQS queue:
- Confirm the changes by retrieving the queue attributes again:
Using Python
Using Python
To remediate the misconfiguration where SQS Queues allow cross-account access, you would need to modify the resource policy attached to the queue. Here are the steps to follow using Python and Boto3, the AWS SDK for Python:
-
Install the Boto3 module for Python - If you haven’t already, you would need to install the Boto3 module for Python. You can do this using pip:
-
Set up AWS Credentials - Boto3 needs your AWS credentials (Access Key ID and Secret Access Key) to interact with AWS services. You can set these in several ways:
-
Setting environment variables:
-
Using a credentials file at
~/.aws/credentials, which should look like:
-
Setting environment variables:
-
Create a Python script - Now, you can create a Python script to modify the resource policy of the SQS queue:
MODIFY_CURRENT_POLICY_TO_REMOVE_CROSS_ACCOUNT_ACCESS placeholder in the script needs to be replaced with the actual logic to modify the policy, which depends on the specifics of the current policy.Also, be aware that modifying the policy in a way that removes necessary permissions can break the functionality of applications that depend on this SQS queue. Always make sure to understand the implications of policy changes before applying them.