AWS Security Hub - Detect SQS Queue policy allowing public access
| Id | 4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11 |
| Rulename | AWS Security Hub - Detect SQS Queue policy allowing public access |
| Description | This query detects Amazon SQS queues with access policies that allow public (unauthenticated or cross-account unrestricted) access, using AWS Security Hub control SQS.3 findings. Publicly accessible queues can enable data exfiltration, unauthorized message injection, or disruption of workflows. |
| Severity | High |
| Tactics | Exfiltration Collection |
| Techniques | T1567 T1530 |
| Required data connectors | AWSSecurityHub |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueuePublicAccess.yaml |
| Version | 1.0.0 |
| Arm template | 4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11.json |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SQS.3"
or tostring(ComplianceSecurityControlId) == "SQS.3"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsSqsQueue"
| extend QueueArn = tostring(Resource.Id)
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn
tactics:
- Exfiltration
- Collection
id: 4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueuePublicAccess.yaml
version: 1.0.0
status: Available
description: |
This query detects Amazon SQS queues with access policies that allow public (unauthenticated or cross-account unrestricted) access, using AWS Security Hub control SQS.3 findings.
Publicly accessible queues can enable data exfiltration, unauthorized message injection, or disruption of workflows.
tags:
- AWS Foundational Security Best Practices v1.0.0
severity: High
triggerThreshold: 0
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AwsAccountId
- identifier: CloudAppAccountId
columnName: AwsAccountId
entityType: Account
- fieldMappings:
- identifier: Name
columnName: QueueArn
entityType: CloudApplication
alertDetailsOverride:
alertDisplayNameFormat: Public access detected for SQS queue {{QueueArn}}
alertDescriptionFormat: AWS Account {{AwsAccountId}} has an SQS queue ({{QueueArn}}) with a policy permitting public access. Review and restrict the queue access policy.
name: AWS Security Hub - Detect SQS Queue policy allowing public access
query: |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SQS.3"
or tostring(ComplianceSecurityControlId) == "SQS.3"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsSqsQueue"
| extend QueueArn = tostring(Resource.Id)
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn
kind: Scheduled
queryPeriod: 1h
queryFrequency: 1h
triggerOperator: gt
customDetails:
QueueArn: QueueArn
ComplianceControlId: ComplianceSecurityControlId
Region: AwsRegion
FindingId: AwsSecurityFindingId
requiredDataConnectors:
- connectorId: AWSSecurityHub
dataTypes:
- AWSSecurityHubFindings
relevantTechniques:
- T1567
- T1530