--- layout: default --- ## Amazon Simple Queue Service (SQS) | Identifier | Guardrail | Rationale | Remediation | References | Policy | IAM Actions | |:---------------------------------------------------|:---------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------|:--------------| | <a id="IAM-SQS-1" href="#IAM-SQS-1" >IAM-SQS-1</a> | Check that if an AWS service calls Amazon SQS to specify the sourceArn for the authorized service. | Specifying the global context key sourceArn protects against the confused deputy problem. | Utilize the global condition context key sourceArn to specify the AWS ARN of the authorized AWS Service that is allowed to invoke your SQS service. | [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn)<br><br>[https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html)<br><br> | SQS Policy or IAM Policy | | | <a id="IAM-SQS-2" href="#IAM-SQS-2" >IAM-SQS-2</a> | Check that only authorized principals are able to invoke SendMessage or SendMessageBatch. | Unauthorized principals can flood the SQS queues, potentially resulting in large costs or a denial of service against the SQS queues. The second concern would be related to malicious messages. The default SQS message size is 256KB, though clients can send a maximum payload size of 2GB. If input sanitization is not fully performed and fully trusted, the consuming application could be at risk. | Scope SendMessage and SendMessageBatch to authorized principals only. | [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html)<br><br>[https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessageBatch.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessageBatch.html)<br><br> | nan | | | <a id="IAM-SQS-3" href="#IAM-SQS-3" >IAM-SQS-3</a> | Check that only authorized principals are able to invoke ReceiveMessage. | Unauthorized principals can consume messages, thus preventing the intended consumer from receiving the message. Particularly if the queue is FIFO exactly once. | Scope ReceiveMessage to authorized principals only. | [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html)<br><br>[https://aws.amazon.com/about-aws/whats-new/2016/11/amazon-sqs-introduces-fifo-queues-with-exactly-once-processing-and-lower-prices-for-standard-queues/](https://aws.amazon.com/about-aws/whats-new/2016/11/amazon-sqs-introduces-fifo-queues-with-exactly-once-processing-and-lower-prices-for-standard-queues/)<br><br> | nan | |