Detection: SQS Queue Granted Public Access
Overview
Detect when an Amazon SQS queue was granted public access. Public access to SQS queues can allow unauthorized entities to send or receive messages, leading to potential data leakage, service disruption, or unauthorized actions within applications. Monitoring public access grants ensures secure and controlled message processing while protecting sensitive workflows.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.sqs_queue_granted_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.sqs_queue_granted_public_access --shareSQL
This detection uses a named query:
with policy as ( select *, unnest( from_json((request_parameters -> 'attributes' ->> 'Policy' -> 'Statement'), '["JSON"]') ) as statement_item, from aws_cloudtrail_log where event_source = 'sqs.amazonaws.com' and event_name = 'SetQueueAttributes' and (request_parameters -> 'attributes' ->> 'Policy') != '')select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,coalesce(response_elements ->> 'queueUrl', request_parameters ->> 'queueUrl') as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from policywhere (statement_item ->> 'Effect') = 'Allow' and ((json_contains((statement_item -> 'Principal'), '{"AWS":"*"}') ) or ((statement_item ->> 'Principal') = '*')) and error_code is null
order by event_time desc;