AWS securityhub documentation change
Summary
Added new SQS.3 control documentation about preventing public access to SQS queues
Security assessment
While the new SQS.3 control addresses a security concern (public access to SQS queues), there is no evidence this change is in response to a specific security vulnerability or incident. It appears to be a proactive addition of security documentation rather than a response to a security issue.
Diff
diff --git a/securityhub/latest/userguide/sqs-controls.md index 35d2761b2..1f8eb98ac 100644 --- a/securityhub/latest/userguide/sqs-controls.md +++ b/securityhub/latest/userguide/sqs-controls.md @@ -5 +5 @@ -[SQS.1] Amazon SQS queues should be encrypted at rest[SQS.2] SQS queues should be tagged +[SQS.1] Amazon SQS queues should be encrypted at rest[SQS.2] SQS queues should be tagged[SQS.3] SQS queue access policies should not allow public access @@ -66,0 +67,22 @@ To add tags to an existing queue using the Amazon SQS console, see [ Configuring +## [SQS.3] SQS queue access policies should not allow public access + +**Category:** Protect > Secure access management > Resource not publicly accessible + +**Severity:** High + +**Resource type:** `AWS::SQS::Queue` + +**AWS Config rule:** [sqs-queue-no-public-access](https://docs.aws.amazon.com/config/latest/developerguide/sqs-queue-no-public-access.html) + +**Schedule type:** Change triggered + +**Parameters:** None + +This controls checks whether an Amazon SQS access policy allows public access to an SQS queue. The control fails if an SQS access policy allows public access to the queue. + +An Amazon SQS access policy can allow public access to an SQS queue, which might allow an anonymous user or any authenticated AWS IAM identity to access the queue. SQS access policies typically provide this access by specifying the wildcard character (`*`) in the `Principal` element of the policy, not using proper conditions to restrict access to the queue, or both. If an SQS access policy allows public access, third parties might be able to perform tasks such as receive messages from the queue, send messages to the queue, or modify the access policy for the queue. This could result in events such as data exfiltration, a denial of service, or injection of messages into the queue by a threat actor. + +### Remediation + +For information about configuring the SQS access policy for an SQS queue, see [Using custom policies with the Amazon SQS Access Policy Language](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html) in the _Amazon Simple Queue Service Developer Guide_. +