SQS queue policy does not allow public access
sqs_queues_not_publicly_accessible
Amazon SQS queue policies are assessed for public access. The finding highlights queues with Allow statements using a wildcard Principal without restrictive conditions, compared to queues that only grant access to the owning account or explicitly trusted principals.
Risk
Public SQS access can expose message data (confidentiality), enable unauthorized send/receive or tampering (integrity), and allow purge/delete operations that disrupt processing (availability). It may also trigger unbounded message ingestion, causing cost spikes and consumer overload.
prowler aws --checks sqs_queues_not_publicly_accessible
prowler aws --checks sqs_queues_not_publicly_accessible --fixer
Recommendation
Apply least privilege on SQS resource policies:
- Avoid
Principal: *; grant access only to specific accounts, roles, or services - Add restrictive conditions to tightly scope access
- Prefer private connectivity and defense-in-depth controls
- Review policies and audit activity regularly to prevent drift
Remediation
aws sqs set-queue-attributes --queue-url <example_queue_url> --attributes Policy='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"<example_account_id>"},"Action":"sqs:*","Resource":"<example_queue_arn>"}]}'
- Open the Amazon SQS console and select the queue
- Go to Permissions (Access policy) and click Edit
- In the JSON policy, replace any "Principal": "*" with "Principal": { "AWS": "<your_account_id>" } or remove those public statements
- Save changes
Source Code
Resource Type
AwsSqsQueue