AWS Security ChangesHomeSearch

AWS AWSSimpleQueueService medium security documentation change

Service: AWSSimpleQueueService · 2025-07-18 · Security-related medium

File: AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue-redrive.md

Summary

Added new section 'Using dead-letter queue redrive with VPC endpoint access control' with detailed policy examples

Security assessment

Addresses potential security misconfigurations when using VPC restrictions with DLQ redrive by providing explicit policy conditions (aws:CalledViaLast/ViaAWSService) to maintain security while allowing service operations. Directly impacts access control configuration security.

Diff

diff --git a/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue-redrive.md b/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue-redrive.md
index 3be8c1f49..016471636 100644
--- a//AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue-redrive.md
+++ b//AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue-redrive.md
@@ -5 +5 @@
-Configuring a dead-letter queue redrive for an existing standard queue using the Amazon SQS APIConfiguring a dead-letter queue redrive for an existing standard queue using the Amazon SQS consoleConfiguring queue permissions for dead-letter queue redrive
+Configuring a dead-letter queue redrive for an existing standard queue using the Amazon SQS APIConfiguring a dead-letter queue redrive for an existing standard queue using the Amazon SQS consoleConfiguring queue permissions for dead-letter queue redrive Using dead-letter queue redrive with VPC endpoint access control
@@ -138,0 +139,6 @@ Your access policy should resemble the following:
+JSON
+    
+
+****
+    
+    
@@ -220,0 +228,6 @@ Your access policy should resemble the following:
+JSON
+    
+
+****
+    
+    
@@ -257,0 +271,113 @@ Your access policy should resemble the following:
+
+##  Using dead-letter queue redrive with VPC endpoint access control
+
+When you restrict queue access to specific VPCs using the `aws:sourceVpc` condition, you need to make an exception for AWS services to enable dead-letter queue (DLQ) redrive functionality. This is because the Amazon SQS service operates outside your VPC when moving messages. 
+
+To allow DLQ redrive operations, add the `aws:CalledViaLast` condition to your queue policy. This allows Amazon SQS to make API calls on your behalf while maintaining VPC restrictions for direct access. 
+
+To allow both VPC-restricted access and DLQ redrive: 
+
+  1. Use the `aws:CalledViaLast` condition in your queue policy.
+
+  2. Apply the policy to both the source queue and the DLQ
+
+  3. Maintain VPC restrictions for direct access from other sources
+
+
+
+
+Here is an example policy that implements these requirements: 
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Id": "SQSRedriveWithVpcRestriction",
+      "Statement": [
+        {
+          "Sid": "DenyOutsideVPCUnlessAWSService_DestQueue",
+          "Effect": "Deny",
+          "Principal": "*",
+          "Action": "sqs:*",
+          "Resource": "arn:aws:sqs:*:111122223333:DestQueue",
+          "Condition": {
+            "StringNotEquals": {
+              "aws:SourceVpc": "vpc-1234567890abcdef0"
+            },
+            "StringNotEqualsIfExists": { 
+              "aws:CalledViaLast": "sqs.amazonaws.com"
+            }
+          }
+        },
+        {
+          "Sid": "DenyOutsideVPCUnlessAWSService_DLQ",
+          "Effect": "Deny",
+          "Principal": "*",
+          "Action": "sqs:*",
+          "Resource": "arn:aws:sqs:*:111122223333:Dlq",
+          "Condition": {
+            "StringNotEquals": {
+              "aws:SourceVpc": "vpc-1234567890abcdef0"
+            },
+            "StringNotEqualsIfExists": { 
+              "aws:CalledViaLast": "sqs.amazonaws.com"
+            }
+          }
+        }
+      ]
+    }
+    
+
+  * Replace the placeholder values with your actual values
+
+  * This policy uses a "deny" statement with conditions, which is more secure than using "allow" statements
+
+  * The `StringNotEqualsIfExists` operator handles cases where the condition key might not be present in the request context. 
+
+
+
+
+Alternatively, you can use the `aws:ViaAWSService` condition key to allow service-based access while maintaining VPC restrictions. This condition key indicates whether the request comes from an AWS service. Here is an example policy that uses `aws:ViaAWSService` instead of `aws:CalledViaLast`: 
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Id": "SQSRedriveWithVpcRestriction",
+      "Statement": [
+        {
+          "Sid": "DenyOutsideVPCUnlessAWSService_DestQueue",
+          "Effect": "Deny",
+          "Principal": "*",
+          "Action": "sqs:*",
+          "Resource": "arn:aws:sqs:*:111122223333:DestQueue",
+          "Condition": {
+            "StringNotEquals": {
+              "aws:SourceVpc": "vpc-1234567890abcdef0"
+            },
+            "BoolIfExists": {
+              "aws:ViaAWSService": "false"
+            }
+          }
+        },
+        {
+          "Sid": "DenyOutsideVPCUnlessAWSService_DLQ",
+          "Effect": "Deny",
+          "Principal": "*",
+          "Action": "sqs:*",
+          "Resource": "arn:aws:sqs:*:111122223333:Dlq",
+          "Condition": {
+            "StringNotEquals": {
+              "aws:SourceVpc": "vpc-1234567890abcdef0"
+            },
+            "BoolIfExists": {
+              "aws:ViaAWSService": "false"
+            }
+          }
+        }
+      ]
+    }
+    
+
+The BoolIfExists operator with `aws:ViaAWSService` condition ensures that requests are allowed when they come from services while maintaining VPC restrictions for direct access. This can be simpler to understand and maintain, as it directly checks if the request is made by an AWS service rather than checking which service made the last call. 
+
+For more information on condition keys used in IAM and resource policies, see IAM JSON policy elements: Condition. 
+