Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

AWS Security Hub - Detect SQS Queue policy allowing public access

Back
Id4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11
RulenameAWS Security Hub - Detect SQS Queue policy allowing public access
DescriptionThis query detects Amazon SQS queues with access policies that allow public (unauthenticated or cross-account unrestricted) access, using AWS Security Hub control SQS.3 findings.

Publicly accessible queues can enable data exfiltration, unauthorized message injection, or disruption of workflows.
SeverityHigh
TacticsExfiltration
Collection
TechniquesT1567
T1530
Required data connectorsAWSSecurityHub
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueuePublicAccess.yaml
Version1.0.0
Arm template4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11.json
Deploy To Azure
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SQS.3"
      or tostring(ComplianceSecurityControlId) == "SQS.3"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsSqsQueue"
| extend QueueArn = tostring(Resource.Id)
| summarize TimeGenerated = max(TimeGenerated)
    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
       AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn
entityMappings:
- fieldMappings:
  - columnName: AwsAccountId
    identifier: Name
  - columnName: AwsAccountId
    identifier: CloudAppAccountId
  entityType: Account
- fieldMappings:
  - columnName: QueueArn
    identifier: Name
  entityType: CloudApplication
triggerThreshold: 0
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueuePublicAccess.yaml
queryFrequency: 1h
status: Available
tags:
- AWS Foundational Security Best Practices v1.0.0
relevantTechniques:
- T1567
- T1530
triggerOperator: gt
version: 1.0.0
kind: Scheduled
id: 4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11
requiredDataConnectors:
- connectorId: AWSSecurityHub
  dataTypes:
  - AWSSecurityHubFindings
alertDetailsOverride:
  alertDisplayNameFormat: Public access detected for SQS queue {{QueueArn}}
  alertDescriptionFormat: AWS Account {{AwsAccountId}} has an SQS queue ({{QueueArn}}) with a policy permitting public access. Review and restrict the queue access policy.
name: AWS Security Hub - Detect SQS Queue policy allowing public access
description: |
  This query detects Amazon SQS queues with access policies that allow public (unauthenticated or cross-account unrestricted) access, using AWS Security Hub control SQS.3 findings.
  Publicly accessible queues can enable data exfiltration, unauthorized message injection, or disruption of workflows.  
query: |
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/SQS.3"
        or tostring(ComplianceSecurityControlId) == "SQS.3"
  | mv-expand Resource = Resources
  | where tostring(Resource.Type) == "AwsSqsQueue"
  | extend QueueArn = tostring(Resource.Id)
  | summarize TimeGenerated = max(TimeGenerated)
      by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
         AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn  
tactics:
- Exfiltration
- Collection
queryPeriod: 1h
customDetails:
  Region: AwsRegion
  FindingId: AwsSecurityFindingId
  ComplianceControlId: ComplianceSecurityControlId
  QueueArn: QueueArn
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has an SQS queue ({{QueueArn}}) with a policy permitting public access. Review and restrict the queue access policy.",
          "alertDisplayNameFormat": "Public access detected for SQS queue {{QueueArn}}"
        },
        "alertRuleTemplateName": "4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11",
        "customDetails": {
          "ComplianceControlId": "ComplianceSecurityControlId",
          "FindingId": "AwsSecurityFindingId",
          "QueueArn": "QueueArn",
          "Region": "AwsRegion"
        },
        "description": "This query detects Amazon SQS queues with access policies that allow public (unauthenticated or cross-account unrestricted) access, using AWS Security Hub control SQS.3 findings.\nPublicly accessible queues can enable data exfiltration, unauthorized message injection, or disruption of workflows.\n",
        "displayName": "AWS Security Hub - Detect SQS Queue policy allowing public access",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AwsAccountId",
                "identifier": "Name"
              },
              {
                "columnName": "AwsAccountId",
                "identifier": "CloudAppAccountId"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "QueueArn",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueuePublicAccess.yaml",
        "query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/SQS.3\"\n      or tostring(ComplianceSecurityControlId) == \"SQS.3\"\n| mv-expand Resource = Resources\n| where tostring(Resource.Type) == \"AwsSqsQueue\"\n| extend QueueArn = tostring(Resource.Id)\n| summarize TimeGenerated = max(TimeGenerated)\n    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n       AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Exfiltration"
        ],
        "tags": [
          "AWS Foundational Security Best Practices v1.0.0"
        ],
        "techniques": [
          "T1530",
          "T1567"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}