v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →

Plugins

turbot/aws

steampipe plugin install awssteampipe plugin install aws

Table: aws_sqs_queue - Query AWS Simple Queue Service (SQS) using SQL

The AWS Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available.

Table Usage Guide

The aws_sqs_queue table in Steampipe provides you with information about each queue in AWS Simple Queue Service (SQS). This table allows you, as a DevOps engineer, to query queue-specific details, including ARN, URL, and associated metadata. You can utilize this table to gather insights on queues, such as their visibility timeout, message retention period, and delivery delay settings. The schema outlines the various attributes of the SQS queue for you, including the queue ARN, URL, and associated tags.

Examples

Basic info

Explore the configuration of your AWS Simple Queue Service (SQS) to understand factors like delay, message size, wait time, and visibility timeout. This can help optimize your queue management by adjusting these parameters for better performance and efficiency.

select
  title,
  delay_seconds,
  max_message_size,
  receive_wait_time_seconds,
  message_retention_seconds,
  visibility_timeout_seconds
from
  aws_sqs_queue;

select
  title,
  delay_seconds,
  max_message_size,
  receive_wait_time_seconds,
  message_retention_seconds,
  visibility_timeout_seconds
from
  aws_sqs_queue;

List unencrypted queues

Determine the areas in your system where message queues are not protected by encryption, which could potentially expose sensitive data to unauthorized individuals.

select
  title,
  kms_master_key_id,
  sqs_managed_sse_enabled
from
  aws_sqs_queue
where
  kms_master_key_id is null
  and not sqs_managed_sse_enabled;

select
  title,
  kms_master_key_id,
  sqs_managed_sse_enabled
from
  aws_sqs_queue
where
  kms_master_key_id is null
  and not sqs_managed_sse_enabled;

List queues encrypted with a CMK

Identify instances where AWS Simple Queue Service (SQS) queues are encrypted with a Customer Master Key (CMK) for enhanced security measures. This can be useful to verify if the queues are following your organization's security protocols.

select
  title,
  kms_master_key_id,
  sqs_managed_sse_enabled
from
  aws_sqs_queue
where
  kms_master_key_id is not null;

select
  title,
  kms_master_key_id,
  sqs_managed_sse_enabled
from
  aws_sqs_queue
where
  kms_master_key_id is not null;

List queues encrypted with an SQS-owned encryption key

Explore which AWS Simple Queue Service (SQS) queues are encrypted using an SQS-owned key. This can be useful for understanding your encryption practices and ensuring that sensitive data is properly secured.

select
  title,
  kms_master_key_id,
  sqs_managed_sse_enabled
from
  aws_sqs_queue
where
  sqs_managed_sse_enabled;

select
  title,
  kms_master_key_id,
  sqs_managed_sse_enabled
from
  aws_sqs_queue
where
  sqs_managed_sse_enabled = 1;

List queues with a message retention period less than 7 days

Discover the segments that have a message retention period of less than a week. This query is useful to identify potential areas of data loss in your AWS Simple Queue Service (SQS) due to short retention periods.

select
  title,
  message_retention_seconds
from
  aws_sqs_queue
where
  message_retention_seconds < '604800';

select
  title,
  message_retention_seconds
from
  aws_sqs_queue
where
  message_retention_seconds < 604800;

List queues which are not configured with a dead-letter queue (DLQ)

Determine the areas in your system where queues are lacking a dead-letter queue (DLQ) configuration. This can be useful for identifying potential points of failure where messages could be lost.

select
  title,
  redrive_policy
from
  aws_sqs_queue
where
  redrive_policy is null;

select
  title,
  redrive_policy
from
  aws_sqs_queue
where
  redrive_policy is null;

List FIFO queues

Discover the segments that utilize first-in, first-out (FIFO) queues in AWS Simple Queue Service (SQS), allowing you to better manage and prioritize tasks in your applications.

select
  title,
  fifo_queue
from
  aws_sqs_queue
where
  fifo_queue;

select
  title,
  fifo_queue
from
  aws_sqs_queue
where
  fifo_queue = 1;

List queues with policy statements that grant cross-account access

Discover the segments that have policy statements granting cross-account access within your queue system. This can be useful in identifying potential security risks and ensuring proper access management.

select
  title,
  p as principal,
  a as action,
  s ->> 'Effect' as effect,
  s -> 'Condition' as conditions
from
  aws_sqs_queue,
  jsonb_array_elements(policy_std -> 'Statement') as s,
  jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
  string_to_array(p, ':') as pa,
  jsonb_array_elements_text(s -> 'Action') as a
where
  s ->> 'Effect' = 'Allow'
  and (
    pa [ 5 ] != account_id
    or p = '*'
  );

Error: The corresponding SQLite query is unavailable.

List queues with policy statements that grant anoymous access

Determine the areas in your AWS SQS queues where policy statements permit anonymous access. This is useful for identifying potential security vulnerabilities and ensuring that your queues are only accessible to authorized users.

select
  title,
  p as principal,
  a as action,
  s ->> 'Effect' as effect,
  s -> 'Condition' as conditions
from
  aws_sqs_queue,
  jsonb_array_elements(policy_std -> 'Statement') as s,
  jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
  jsonb_array_elements_text(s -> 'Action') as a
where
  p = '*'
  and s ->> 'Effect' = 'Allow';

select
  title,
  p as principal,
  a as action,
  json_extract(s, '$.Effect') as effect,
  json_extract(s, '$.Condition') as conditions
from
  aws_sqs_queue,
  json_each(json_extract(policy_std, '$.Statement')) as s,
  json_each(
    json_extract(json_extract(s.value, '$.Principal'), '$.AWS')
  ) as p,
  json_each(json_extract(s.value, '$.Action')) as a
where
  p.value = '*'
  and json_extract(s.value, '$.Effect') = 'Allow';

List queues with policy statements that grant full access (sqs:*)

Determine the areas in your AWS SQS queues where policy statements grant full access. This is useful for identifying potential security risks and ensuring that access permissions are appropriately restricted.

select
  title,
  p as principal,
  a as action,
  s ->> 'Effect' as effect,
  s -> 'Condition' as conditions
from
  aws_sqs_queue,
  jsonb_array_elements(policy_std -> 'Statement') as s,
  jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
  jsonb_array_elements_text(s -> 'Action') as a
where
  s ->> 'Effect' = 'Allow'
  and a in ('*', 'sqs:*');

Error: The corresponding SQLite query is unavailable.

Query examples

Control examples

Schema for aws_sqs_queue

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
content_based_deduplication	text		Mentions whether content-based deduplication is enabled for the queue.
deduplication_scope	text		Specifies whether message deduplication occurs at the message group or queue level.
delay_seconds	text		The default delay on the queue in seconds.
fifo_queue	boolean		Returns true if the queue is FIFO.
fifo_throughput_limit	text		Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group.
kms_master_key_id	text		The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK.
max_message_size	text		The limit of how many bytes a message can contain before Amazon SQS rejects it.
message_retention_seconds	text		The length of time, in seconds, for which Amazon SQS retains a message.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policy	jsonb		The resource IAM policy of the queue.
policy_std	jsonb		Contains the policy in a canonical form for easier searching.
queue_arn	text		The Amazon resource name (ARN) of the queue.
queue_url	text	=	The URL of the Amazon SQS queue.
receive_wait_time_seconds	text		The length of time, in seconds, for which the ReceiveMessage action waits for a message to arrive.
redrive_policy	jsonb		The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object.
region	text		The AWS Region in which the resource is located.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
sqs_managed_sse_enabled	boolean		Returns true if the queue is using SSE-SQS encryption with SQS-owned encryption keys.
tags	jsonb		A map of tags for the resource.
title	text		Title of the resource.
visibility_timeout_seconds	text		The visibility timeout for the queue in seconds.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_sqs_queue