SQS.3: An SQS queue policy allows public access

What does AWS Security Hub SQS.3 check?

SQS.3 inspects a queue's access policy for public access. It reports FAILED when a statement grants a wildcard Principal ("*") with no fixed-value Condition constraining who can call the queue.

Why does SQS.3 matter?

A publicly accessible queue lets anyone send, receive or delete messages — they can flood it, drain legitimate messages, or inject malicious payloads into whatever downstream service consumes them. Because the blast radius spans the entire integration behind the queue, the control is rated Critical.

How do I fix SQS.3?

1. Inspect the queue's access policy with get-queue-attributes.
2. Distinguish a genuinely open policy from a safely-scoped cross-account one that uses a fixed-value condition.
3. Either scope the Principal to specific account or role ARNs, or keep the wildcard but add a constraining Condition such as aws:SourceArn.
4. Re-apply the policy and verify SQS.3 passes.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'