aws vulnerabilities sqs Publicly accessible SQS queue

Publicly accessible SQS queue

PLATFORM

SERVICE

sqs

DATA BREACHES

unknown

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

medium

medium

About

SQS queues have a resource policy attached specifying who can access messages in the queue. This policy can be configured to allow public read and write access to these messages.

Understanding Impact

Business Impact

SQS queues are frequently used for publish/subscribe applications. When a queue is insecurely configured, anyone can access messages it contains. These messages frequently contain sensitive and personal data.

Technical Impact

SQS queues can be shared through their resource policy. In general, this is used to share a queue cross-account, for instance to allow another AWS account to publish messages in the queue. However, it is common that the resource policy is too open and allows any user, including outside of the AWS account, to access all messages in the queue.

Identify affected resources

You can use the following AWS CLI command to retrieve the resource-based policy attached to a specific SQS queue:

aws sqs get-queue-attributes \
  --queue-url <your-queue-url> \
  --attribute-names "Policy" \
  --query "Attributes.Policy" \
  --output text

The queue is vulnerable if it allows everyone access to an action such as sqs:SendMessage. Below is a sample vulnerable policy.

  {
    "Version": "2008-10-17",
    "Id": "default_policy_ID",
    "Statement": [
      {
        "Sid": "owner_statement",
        "Effect": "Allow",
        "Principal": {
          "AWS": "*"
        },
        "Action": "SQS:*",
        "Resource": "arn:aws:sqs:us-east-1:0123456789012:vulnerable-queue"
      }
    ]
  }

Remediate vulnerable resources

Change the SQS queue policy so it does not allow public access. For instance, you may want to limit access to the queue to authorized users in the same AWS account:

{
  "Version": "2012-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": [{
      "Sid":"Queue1_SendMessage",
      "Effect": "Allow",
      "Principal": {
        "AWS": [ 
            "111122223333"
        ]
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:0123456789012:vulnerable-queue"
  }]  
}

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | SQS Queue should not be publicly accessible".

References

Examples of Amazon SQS policies

aws documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 10 positions

view all