AWS Security Hub - Detect SQS Queue policy allowing public access
| Id | 4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11 |
| Rulename | AWS Security Hub - Detect SQS Queue policy allowing public access |
| Description | This query detects Amazon SQS queues with access policies that allow public (unauthenticated or cross-account unrestricted) access, using AWS Security Hub control SQS.3 findings. Publicly accessible queues can enable data exfiltration, unauthorized message injection, or disruption of workflows. |
| Severity | High |
| Tactics | Exfiltration Collection |
| Techniques | T1567 T1530 |
| Required data connectors | AWSSecurityHub |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueuePublicAccess.yaml |
| Version | 1.0.0 |
| Arm template | 4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11.json |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SQS.3"
or tostring(ComplianceSecurityControlId) == "SQS.3"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsSqsQueue"
| extend QueueArn = tostring(Resource.Id)
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn
queryPeriod: 1h
query: |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SQS.3"
or tostring(ComplianceSecurityControlId) == "SQS.3"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsSqsQueue"
| extend QueueArn = tostring(Resource.Id)
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn
name: AWS Security Hub - Detect SQS Queue policy allowing public access
entityMappings:
- fieldMappings:
- columnName: AwsAccountId
identifier: Name
- columnName: AwsAccountId
identifier: CloudAppAccountId
entityType: Account
- fieldMappings:
- columnName: QueueArn
identifier: Name
entityType: CloudApplication
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueuePublicAccess.yaml
tags:
- AWS Foundational Security Best Practices v1.0.0
requiredDataConnectors:
- connectorId: AWSSecurityHub
dataTypes:
- AWSSecurityHubFindings
description: |
This query detects Amazon SQS queues with access policies that allow public (unauthenticated or cross-account unrestricted) access, using AWS Security Hub control SQS.3 findings.
Publicly accessible queues can enable data exfiltration, unauthorized message injection, or disruption of workflows.
kind: Scheduled
version: 1.0.0
alertDetailsOverride:
alertDisplayNameFormat: Public access detected for SQS queue {{QueueArn}}
alertDescriptionFormat: AWS Account {{AwsAccountId}} has an SQS queue ({{QueueArn}}) with a policy permitting public access. Review and restrict the queue access policy.
status: Available
severity: High
relevantTechniques:
- T1567
- T1530
triggerOperator: gt
triggerThreshold: 0
customDetails:
Region: AwsRegion
ComplianceControlId: ComplianceSecurityControlId
FindingId: AwsSecurityFindingId
QueueArn: QueueArn
tactics:
- Exfiltration
- Collection
id: 4f0f3c2a-8d44-43f8-9d9a-5b1e0d5f2c11