SQS access policies should not have global “.” access


SQS policies should not permit all users to access SQS queues. To promote the security principle of least privilege, an SQS policy should allow only necessary principals to access the queue.

Console Remediation Steps

  • Navigate to SQS.

  • Select the SQS queue.

  • Select the Permissions tab.

  • Remove any permissions that grant the SQS queue global "*.*" access.

  • Click OK.

CLI Remediation Steps

  • To remove the global "*.*" access:

    • aws sqs remove-permission --queue-url https://sqs.us-east-1.amazonaws.com/80398EXAMPLE/MyQueue --label SendMessagesFromMyQueue