k9 Security now summarizes principals’ access to the SQS APIs and reports whether principals may administer queue resources or read, write, or delete messages. AWS Simple Queue Service (SQS) is a managed message queuing service that enables you to decouple and scale services in distributed systems. k9 Security’s daily reports now contain a summary of each principal’s access to SQS.
If you’re wondering which IAM principals can administer queues or send, receive, or delete messages within your AWS account, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use SQS and maps each principal’s access to a k9 access capability. For example:
In this example the ci IAM user and the AccountAdminAccessRole-Sandbox have full access to the SQS API with administer-resource, delete-data, read-data, and write-data capabilities. The AWSServiceRoleForAccessAnalyzer role only has read-data capabilities.
Here’s how SQS’ 20 API actions are mapped to k9 access capabilities:
| Action | Capability |
|---|---|
| AddPermission | administer-resource |
| CreateQueue | administer-resource |
| DeleteQueue | administer-resource, delete-data |
| PurgeQueue | administer-resource, delete-data |
| RemovePermission | administer-resource |
| SetQueueAttributes | administer-resource |
| TagQueue | administer-resource |
| UntagQueue | administer-resource |
| DeleteMessage | delete-data |
| DeleteMessageBatch | delete-data |
| GetQueueAttributes | read-data |
| GetQueueUrl | read-data |
| ListDeadLetterSourceQueues | read-data |
| ListQueues | read-data |
| ListQueueTags | read-data |
| ReceiveMessage | read-data |
| ChangeMessageVisibility | write-data |
| ChangeMessageVisibilityBatch | write-data |
| SendMessage | write-data |
| SendMessageBatch | write-data |
The SQS API actions allowing creation, deletion, and configuration of queues are mapped to administer-resource. The DeleteQueue and PurgeQueue actions are mapped to both the administer-resource and delete-data capability because those actions both administer queue resources and delete message data.
Publishers send messages using actions mapped to write-data. Consumers receive and delete messages from the queue with actions mapped to read-data and delete-data, respectively.
We hope k9’s new SQS analysis capabilities help you identify which IAM users and roles can use SQS queues and messages in your AWS accounts. We are happy to answer any questions!
Recent Comments