k9 Security now summarizes principals’ access to the SQS APIs and reports whether principals may administer queue resources or read, write, or delete messages. AWS Simple Queue Service (SQS) is a managed message queuing service that enables you to decouple and scale services in distributed systems. k9 Security’s daily reports now contain a summary of each principal’s access to SQS.
If you’re wondering which IAM principals can administer queues or send, receive, or delete messages within your AWS account, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use SQS and maps each principal’s access to a k9 access capability. For example:
In this example the
ci IAM user and the
AccountAdminAccessRole-Sandbox have full access to the SQS API with
write-data capabilities. The
AWSServiceRoleForAccessAnalyzer role only has
Here’s how SQS’ 20 API actions are mapped to k9 access capabilities:
The SQS API actions allowing creation, deletion, and configuration of queues are mapped to
PurgeQueue actions are mapped to both the
delete-data capability because those actions both administer queue resources and delete message data.
Publishers send messages using actions mapped to
write-data. Consumers receive and delete messages from the queue with actions mapped to
We hope k9’s new SQS analysis capabilities help you identify which IAM users and roles can use SQS queues and messages in your AWS accounts. We are happy to answer any questions!