Amazon Simple Queue Service (SQS)

Identifier	Guardrail	Rationale	Remediation	References	Policy	IAM Actions
IAM-SQS-1	Check that if an AWS service calls Amazon SQS to specify the sourceArn for the authorized service.	Specifying the global context key sourceArn protects against the confused deputy problem.	Utilize the global condition context key sourceArn to specify the AWS ARN of the authorized AWS Service that is allowed to invoke your SQS service.	https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html	SQS Policy or IAM Policy
IAM-SQS-2	Check that only authorized principals are able to invoke SendMessage or SendMessageBatch.	Unauthorized principals can flood the SQS queues, potentially resulting in large costs or a denial of service against the SQS queues. The second concern would be related to malicious messages. The default SQS message size is 256KB, though clients can send a maximum payload size of 2GB. If input sanitization is not fully performed and fully trusted, the consuming application could be at risk.	Scope SendMessage and SendMessageBatch to authorized principals only.	https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessageBatch.html	nan
IAM-SQS-3	Check that only authorized principals are able to invoke ReceiveMessage.	Unauthorized principals can consume messages, thus preventing the intended consumer from receiving the message. Particularly if the queue is FIFO exactly once.	Scope ReceiveMessage to authorized principals only.	https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html https://aws.amazon.com/about-aws/whats-new/2016/11/amazon-sqs-introduces-fifo-queues-with-exactly-once-processing-and-lower-prices-for-standard-queues/	nan