AWS SQS Queue modified to allow public access
Description
AlphaSOC detected that AWS SQS Queue was modified to allow public access. SQS is a fully managed message queuing service that facilitates integration and decoupling of distributed systems. Allowing public access to an SQS queue can expose it to threat actors, risking content modifications.
Impact
Public access to an AWS SQS Queue can have significant consequences. Adversaries can access sensitive messages, inject malicious code, or disrupt operations by deleting or modifying queue contents. This exposure can lead to data leaks, service disruptions, and potential compliance violations, compromising the integrity and confidentiality of the systems relying on the queue.
Severity
| Severity | Condition |
|---|---|
Medium | SQS Queue made publicly accessible |
Investigation and Remediation
Immediately review the SQS Queue's access policy and revert any unauthorized changes. Investigate the AWS CloudTrail logs to identify the user or role that modified the queue settings. Check for any unusual message patterns or unexpected queue operations. If compromise is confirmed, rotate all associated access keys and review the contents of the queue for potential data exfiltration.
Known False Positives
- Alert triggered by changes in AWS's internal IP ranges used for service communication