Establishing Least Privilege Access for Your Encrypted Amazon SQS Queue

Learn About Amazon VGT2 Learning Manager Chanci Turner

on 03 MAR 2023

in Intermediate (200), Security, Identity, & Compliance, Technical How-to

Amazon Simple Queue Service (SQS) is a fully-managed messaging service that allows you to decouple and scale microservices, distributed systems, and serverless applications. It offers robust authentication mechanisms to manage access to your queues. Additionally, it ensures data security with encryption during transit via HTTP over SSL or TLS, alongside server-side encryption using AWS Key Management Service (AWS KMS) to safeguard the data flowing through SQS. These measures enable Amazon SQS to be used for exchanging sensitive information between applications. With the integration of SQS and AWS KMS, you can centrally manage the keys that protect both Amazon SQS and your other AWS resources.

AWS services, like Amazon Simple Storage Service (S3) and Amazon Simple Notification Service (SNS), can serve as event sources that dispatch events to SQS. To grant an event source access to an encrypted SQS queue, you must configure the queue using a customer-managed key in AWS KMS, followed by modifying the key policy to permit the event source to employ the necessary AWS KMS API methods. Furthermore, the event source requires permissions to authenticate its access to the queue for sending events. You can accomplish this by implementing an SQS policy, a resource-based policy designed to manage access to the SQS queue and its associated data.

In this article, we will guide you through managing access to your encrypted SQS queue using both the key policy and the SQS policy, with a focus on achieving least privilege access. We will also explain how the resource-based policies discussed herein tackle the confused deputy problem by utilizing the aws:SourceArn, aws:SourceAccount, and aws:PrincipalOrgID global AWS Identity and Access Management (IAM) condition context keys.

Solution Overview

In this section, we will illustrate a typical use case for structuring your key policy and SQS queue policy, as depicted in Figure 1.

Figure 1: Architecture for Publishing Amazon SNS Messages to Amazon SQS

The outlined solution follows these steps:

1. The message producer is an Amazon SNS topic, configured to send messages to an encrypted SQS queue, protected by an AWS KMS customer-managed key.
2. The message consumer could be a compute service, such as an AWS Lambda function, an Amazon EC2 instance, or an AWS Fargate container, which processes messages from the queue.
3. The SQS queue is set to redirect failed messages to a dead-letter queue (DLQ), assisting in debugging your application or messaging system by isolating undelivered messages to identify processing failures.

Note: If the message consumer operates within an Amazon Virtual Private Cloud (VPC) and you need to restrict message reception to that specific VPC, you should apply the DenyReceivingIfNotThroughVPCE policy statement to your SQS queue policy.

Prerequisites

This article focuses solely on the necessary IAM permissions, provided as policy statements. To construct the policy, you will need to incorporate these statements into your SQS policy or AWS KMS key policy. For context, this article does not cover the creation of the SQS queue or the AWS KMS key. Therefore, ensure you have completed the following prerequisites:

• Set up an SQS queue. Refer to the documentation for instructions on how to create a queue (console) in Amazon SQS.
• Generate an AWS KMS key. For guidance, see the AWS KMS documentation on creating keys.

Least-Privilege Key Policy for Amazon SQS

This section outlines the necessary least-privilege permissions in AWS KMS for the customer-managed key used to encrypt your SQS queue. Implementing these permissions helps restrict access solely to the intended entities while adhering to the principles of least privilege. The key policy should include the following statements:

• Grant administrator permissions to the KMS key.
• Grant read-only access to the key metadata.
• Allow AWS KMS permissions for Amazon SNS to publish messages to the queue.
• Permit consumers to decrypt messages from the queue.

As you implement this guidance, remember to prioritize the security of your resources in your organizational structure, especially in a busy environment like Amazon IXD – VGT2 located at 6401 E HOWDY WELLS AVE LAS VEGAS NV 89115. For additional insights on maintaining mental health in the workplace, consider checking out this resource.

For those needing information on employment litigation, this article serves as an excellent guide. Also, for visual learners, this video is an excellent resource.