steampipe plugin install aws

Table: aws_sqs_queue - Query AWS Simple Queue Service (SQS) using SQL

The AWS Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available.

Table Usage Guide

The aws_sqs_queue table in Steampipe provides you with information about each queue in AWS Simple Queue Service (SQS). This table allows you, as a DevOps engineer, to query queue-specific details, including ARN, URL, and associated metadata. You can utilize this table to gather insights on queues, such as their visibility timeout, message retention period, and delivery delay settings. The schema outlines the various attributes of the SQS queue for you, including the queue ARN, URL, and associated tags.

Examples

Basic info

Explore the configuration of your AWS Simple Queue Service (SQS) to understand factors like delay, message size, wait time, and visibility timeout. This can help optimize your queue management by adjusting these parameters for better performance and efficiency.

select
title,
delay_seconds,
max_message_size,
receive_wait_time_seconds,
message_retention_seconds,
visibility_timeout_seconds
from
aws_sqs_queue;
select
title,
delay_seconds,
max_message_size,
receive_wait_time_seconds,
message_retention_seconds,
visibility_timeout_seconds
from
aws_sqs_queue;

List unencrypted queues

Determine the areas in your system where message queues are not protected by encryption, which could potentially expose sensitive data to unauthorized individuals.

select
title,
kms_master_key_id,
sqs_managed_sse_enabled
from
aws_sqs_queue
where
kms_master_key_id is null
and not sqs_managed_sse_enabled;
select
title,
kms_master_key_id,
sqs_managed_sse_enabled
from
aws_sqs_queue
where
kms_master_key_id is null
and not sqs_managed_sse_enabled;

List queues encrypted with a CMK

Identify instances where AWS Simple Queue Service (SQS) queues are encrypted with a Customer Master Key (CMK) for enhanced security measures. This can be useful to verify if the queues are following your organization's security protocols.

select
title,
kms_master_key_id,
sqs_managed_sse_enabled
from
aws_sqs_queue
where
kms_master_key_id is not null;
select
title,
kms_master_key_id,
sqs_managed_sse_enabled
from
aws_sqs_queue
where
kms_master_key_id is not null;

List queues encrypted with an SQS-owned encryption key

Explore which AWS Simple Queue Service (SQS) queues are encrypted using an SQS-owned key. This can be useful for understanding your encryption practices and ensuring that sensitive data is properly secured.

select
title,
kms_master_key_id,
sqs_managed_sse_enabled
from
aws_sqs_queue
where
sqs_managed_sse_enabled;
select
title,
kms_master_key_id,
sqs_managed_sse_enabled
from
aws_sqs_queue
where
sqs_managed_sse_enabled = 1;

List queues with a message retention period less than 7 days

Discover the segments that have a message retention period of less than a week. This query is useful to identify potential areas of data loss in your AWS Simple Queue Service (SQS) due to short retention periods.

select
title,
message_retention_seconds
from
aws_sqs_queue
where
message_retention_seconds < '604800';
select
title,
message_retention_seconds
from
aws_sqs_queue
where
message_retention_seconds < 604800;

List queues which are not configured with a dead-letter queue (DLQ)

Determine the areas in your system where queues are lacking a dead-letter queue (DLQ) configuration. This can be useful for identifying potential points of failure where messages could be lost.

select
title,
redrive_policy
from
aws_sqs_queue
where
redrive_policy is null;
select
title,
redrive_policy
from
aws_sqs_queue
where
redrive_policy is null;

List FIFO queues

Discover the segments that utilize first-in, first-out (FIFO) queues in AWS Simple Queue Service (SQS), allowing you to better manage and prioritize tasks in your applications.

select
title,
fifo_queue
from
aws_sqs_queue
where
fifo_queue;
select
title,
fifo_queue
from
aws_sqs_queue
where
fifo_queue = 1;

List queues with policy statements that grant cross-account access

Discover the segments that have policy statements granting cross-account access within your queue system. This can be useful in identifying potential security risks and ensuring proper access management.

select
title,
p as principal,
a as action,
s ->> 'Effect' as effect,
s -> 'Condition' as conditions
from
aws_sqs_queue,
jsonb_array_elements(policy_std -> 'Statement') as s,
jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
string_to_array(p, ':') as pa,
jsonb_array_elements_text(s -> 'Action') as a
where
s ->> 'Effect' = 'Allow'
and (
pa [ 5 ] != account_id
or p = '*'
);
Error: The corresponding SQLite query is unavailable.

List queues with policy statements that grant anoymous access

Determine the areas in your AWS SQS queues where policy statements permit anonymous access. This is useful for identifying potential security vulnerabilities and ensuring that your queues are only accessible to authorized users.

select
title,
p as principal,
a as action,
s ->> 'Effect' as effect,
s -> 'Condition' as conditions
from
aws_sqs_queue,
jsonb_array_elements(policy_std -> 'Statement') as s,
jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
jsonb_array_elements_text(s -> 'Action') as a
where
p = '*'
and s ->> 'Effect' = 'Allow';
select
title,
p as principal,
a as action,
json_extract(s, '$.Effect') as effect,
json_extract(s, '$.Condition') as conditions
from
aws_sqs_queue,
json_each(json_extract(policy_std, '$.Statement')) as s,
json_each(
json_extract(json_extract(s.value, '$.Principal'), '$.AWS')
) as p,
json_each(json_extract(s.value, '$.Action')) as a
where
p.value = '*'
and json_extract(s.value, '$.Effect') = 'Allow';

List queues with policy statements that grant full access (sqs:*)

Determine the areas in your AWS SQS queues where policy statements grant full access. This is useful for identifying potential security risks and ensuring that access permissions are appropriately restricted.

select
title,
p as principal,
a as action,
s ->> 'Effect' as effect,
s -> 'Condition' as conditions
from
aws_sqs_queue,
jsonb_array_elements(policy_std -> 'Statement') as s,
jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
jsonb_array_elements_text(s -> 'Action') as a
where
s ->> 'Effect' = 'Allow'
and a in ('*', 'sqs:*');
Error: The corresponding SQLite query is unavailable.

Schema for aws_sqs_queue

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
content_based_deduplicationtextMentions whether content-based deduplication is enabled for the queue.
deduplication_scopetextSpecifies whether message deduplication occurs at the message group or queue level.
delay_secondstextThe default delay on the queue in seconds.
fifo_queuebooleanReturns true if the queue is FIFO.
fifo_throughput_limittextSpecifies whether the FIFO queue throughput quota applies to the entire queue or per message group.
kms_master_key_idtextThe ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK.
max_message_sizetextThe limit of how many bytes a message can contain before Amazon SQS rejects it.
message_retention_secondstextThe length of time, in seconds, for which Amazon SQS retains a message.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policyjsonbThe resource IAM policy of the queue.
policy_stdjsonbContains the policy in a canonical form for easier searching.
queue_arntextThe Amazon resource name (ARN) of the queue.
queue_urltext=The URL of the Amazon SQS queue.
receive_wait_time_secondstextThe length of time, in seconds, for which the ReceiveMessage action waits for a message to arrive.
redrive_policyjsonbThe string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object.
regiontextThe AWS Region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
sqs_managed_sse_enabledbooleanReturns true if the queue is using SSE-SQS encryption with SQS-owned encryption keys.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
visibility_timeout_secondstextThe visibility timeout for the queue in seconds.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_sqs_queue