---
layout: default
---



## Amazon Simple Queue Service (SQS)

| Identifier                                         | Guardrail                                                                                          | Rationale                                                                                                                                                                                                                                                                                                                                                                                                  | Remediation                                                                                                                                         | References                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Policy                   | IAM Actions   |
|:---------------------------------------------------|:---------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------|:--------------|
| <a id="IAM-SQS-1" href="#IAM-SQS-1" >IAM-SQS-1</a> | Check that if an AWS service calls Amazon SQS to specify the sourceArn for the authorized service. | Specifying the global context key sourceArn protects against the confused deputy problem.                                                                                                                                                                                                                                                                                                                  | Utilize the global condition context key sourceArn to specify the AWS ARN of the authorized AWS Service that is allowed to invoke your SQS service. | [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn)<br><br>[https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html)<br><br>                                       | SQS Policy or IAM Policy |               |
| <a id="IAM-SQS-2" href="#IAM-SQS-2" >IAM-SQS-2</a> | Check that only authorized principals are able to invoke SendMessage or SendMessageBatch.          | Unauthorized principals can flood the SQS queues, potentially resulting in large costs or a denial of service against the SQS queues. The second concern would be related to malicious messages. The default SQS message size is 256KB, though clients can send a maximum payload size of 2GB. If input sanitization is not fully performed and fully trusted, the consuming application could be at risk. | Scope SendMessage and SendMessageBatch to authorized principals only.                                                                               | [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html)<br><br>[https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessageBatch.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessageBatch.html)<br><br>                                                                                                                       | nan                      |               |
| <a id="IAM-SQS-3" href="#IAM-SQS-3" >IAM-SQS-3</a> | Check that only authorized principals are able to invoke ReceiveMessage.                           | Unauthorized principals can consume messages, thus preventing the intended consumer from receiving the message. Particularly if the queue is FIFO exactly once.                                                                                                                                                                                                                                            | Scope ReceiveMessage to authorized principals only.                                                                                                 | [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html)<br><br>[https://aws.amazon.com/about-aws/whats-new/2016/11/amazon-sqs-introduces-fifo-queues-with-exactly-once-processing-and-lower-prices-for-standard-queues/](https://aws.amazon.com/about-aws/whats-new/2016/11/amazon-sqs-introduces-fifo-queues-with-exactly-once-processing-and-lower-prices-for-standard-queues/)<br><br> | nan                      |               |