SQS Queue Shared With Untrusted AWS Account

Overview

The Amazon Simple Queue Service (SQS) queue has a resource-based policy that allows access from one or more untrusted AWS accounts - that is, accounts not known to Cloud Defense.

This could present a serious risk if systems using this queue accept and unsafely deserialize messages. Many systems use SQS as part of internal processing that is implicitly trusted. This may result in arbitrary code execution, exposure of sensitive data, or denial of service attacks.

You should limit exposure of message queues, such as SQS, as much as possible. Queues should not be exposed across AWS accounts, or with untrusted systems, with very few exceptions.

Remediation details:

The included remediation guides provide directions on how to review and remove queue policy statements. Unless you have defined your infrastructure as code, or need to change a large number of queue policies, we recommend you use the AWS console which includes an interactive editor tool.

Vendor

AWS

Cloud Service

SQS

Input

{"trustAllConnectedAccounts":{"label":"Trust All Known Accounts","value":true,"type":"boolean","helpText":"If true, all AWS Accounts known to Cloud Defense will be trusted and therefore ignored if found by this check, in addition to any accounts in Trusted Accounts."},"trustedAccountIds":{"label":"Trusted AWS Account IDs","helpText":"A list of AWS Account IDs to trust and therefore ignore if found by this check.","value":[],"type":"string[]"}}

References

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/welcome.html, https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html, https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html#grant-cross-account-permissions-to-role-and-user-name

Severity

Item Types

AWS::SQS::Queue

Overview​

Vendor​

Cloud Service​

Input​

References​

Severity​

Item Types​