SQS queue should not be accessible over the public internet
Description
Update Amazon Simple Queue Service (SQS) queue permissions.
Rationale
Publicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.
From the console
Follow the Managing access to resources docs to learn how to implement a permissions policy in the AWS console.
From the command line
Run the list-queues
command to get a list of queue URLs.
aws sqs list-queues --region insert-your-region-here
Run the get-queue-attributes
command with a queue URL returned in step 1.
aws sqs get-queue-attributes \
--queue-url https://queue.amazonaws.com/123456789012/YourQueue \
--attribute-names Policy
Run the remove-permission
command to remove any unwanted permissions from your queue policy.
aws sqs remove-permission \
--region insert-your-region-here \
--queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \
--label insert-label-name \
--aws-account-ids insert-aws-account-ids-here \
--actions insert-action-to-remove
Run the add-permission
command to add a new permission to your queue policy.
aws sqs add-permission \
--queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \
--label insert-label-name \
--aws-account-ids insert-aws-account-ids-here \
--actions insert-action-to-add
Complete steps 2 through 4 for any remaining queue URLs returned from step 1 for each region you have SQS enabled.