Exposure Scanner Scan My Account
Exposure Scanner / Amazon SQS

SQS Queue Exposure

Can external parties send messages to or read from your SQS queues?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
prod-task-processing-queue
SQS queue policy allows sqs:SendMessage from Principal: "*" - anyone can inject messages
High
event-ingestion-queue
SQS queue policy allows sqs:ReceiveMessage from external AWS account without conditions
Medium
notification-queue
SQS queue does not have server-side encryption enabled

What does Amazon SQS public exposure mean?

SQS queue policies can allow any AWS account to send messages, receive messages, or manage the queue. An overly permissive queue policy exposes your messaging infrastructure to external actors.

Why it matters

SQS queues often contain business-critical messages - orders, events, job tasks. External access means attackers could inject malicious messages, read sensitive data, or delete messages causing processing failures.

How to check manually

  1. 1Review SQS queue access policies for Principal: "*"
  2. 2Check for queues without server-side encryption
  3. 3Verify dead-letter queue configurations
  4. 4Review CloudTrail for unauthorized queue operations

Quick check with AWS CLI

List SQS queues and check their access policies
aws sqs list-queues --query "QueueUrls" --output text | xargs -I {} aws sqs get-queue-attributes --queue-url {} --attribute-names Policy --query "Attributes.Policy"
Check a specific queue's attributes for public access
aws sqs get-queue-attributes --queue-url YOUR_QUEUE_URL --attribute-names All --query "Attributes.{Policy:Policy,KmsMasterKeyId:KmsMasterKeyId,RedrivePolicy:RedrivePolicy}"
Find queues without server-side encryption
aws sqs list-queues --query "QueueUrls" --output text | xargs -I {} sh -c 'echo "Queue: {}"; aws sqs get-queue-attributes --queue-url {} --attribute-names KmsMasterKeyId --query "Attributes.KmsMasterKeyId"'

Common misconfigurations

Queue policy allowing SendMessage from any principal
Queue accessible from external AWS accounts
No server-side encryption enabled
Missing dead-letter queue configuration

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon SNS
Can external parties publish to or subscribe to your SNS topics?
AWS Lambda
Are your Lambda functions invocable from outside your account?
AWS IAM
Are your IAM policies granting access more broadly than intended?