Table: aws_sqs_queue - Query AWS Simple Queue Service (SQS) using SQL
The AWS Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available.
Table Usage Guide
The aws_sqs_queue
table in Steampipe provides you with information about each queue in AWS Simple Queue Service (SQS). This table allows you, as a DevOps engineer, to query queue-specific details, including ARN, URL, and associated metadata. You can utilize this table to gather insights on queues, such as their visibility timeout, message retention period, and delivery delay settings. The schema outlines the various attributes of the SQS queue for you, including the queue ARN, URL, and associated tags.
Examples
Basic info
Explore the configuration of your AWS Simple Queue Service (SQS) to understand factors like delay, message size, wait time, and visibility timeout. This can help optimize your queue management by adjusting these parameters for better performance and efficiency.
select title, delay_seconds, max_message_size, receive_wait_time_seconds, message_retention_seconds, visibility_timeout_secondsfrom aws_sqs_queue;
select title, delay_seconds, max_message_size, receive_wait_time_seconds, message_retention_seconds, visibility_timeout_secondsfrom aws_sqs_queue;
List unencrypted queues
Determine the areas in your system where message queues are not protected by encryption, which could potentially expose sensitive data to unauthorized individuals.
select title, kms_master_key_id, sqs_managed_sse_enabledfrom aws_sqs_queuewhere kms_master_key_id is null and not sqs_managed_sse_enabled;
select title, kms_master_key_id, sqs_managed_sse_enabledfrom aws_sqs_queuewhere kms_master_key_id is null and not sqs_managed_sse_enabled;
List queues encrypted with a CMK
Identify instances where AWS Simple Queue Service (SQS) queues are encrypted with a Customer Master Key (CMK) for enhanced security measures. This can be useful to verify if the queues are following your organization's security protocols.
select title, kms_master_key_id, sqs_managed_sse_enabledfrom aws_sqs_queuewhere kms_master_key_id is not null;
select title, kms_master_key_id, sqs_managed_sse_enabledfrom aws_sqs_queuewhere kms_master_key_id is not null;
List queues encrypted with an SQS-owned encryption key
Explore which AWS Simple Queue Service (SQS) queues are encrypted using an SQS-owned key. This can be useful for understanding your encryption practices and ensuring that sensitive data is properly secured.
select title, kms_master_key_id, sqs_managed_sse_enabledfrom aws_sqs_queuewhere sqs_managed_sse_enabled;
select title, kms_master_key_id, sqs_managed_sse_enabledfrom aws_sqs_queuewhere sqs_managed_sse_enabled = 1;
List queues with a message retention period less than 7 days
Discover the segments that have a message retention period of less than a week. This query is useful to identify potential areas of data loss in your AWS Simple Queue Service (SQS) due to short retention periods.
select title, message_retention_secondsfrom aws_sqs_queuewhere message_retention_seconds < '604800';
select title, message_retention_secondsfrom aws_sqs_queuewhere message_retention_seconds < 604800;
List queues which are not configured with a dead-letter queue (DLQ)
Determine the areas in your system where queues are lacking a dead-letter queue (DLQ) configuration. This can be useful for identifying potential points of failure where messages could be lost.
select title, redrive_policyfrom aws_sqs_queuewhere redrive_policy is null;
select title, redrive_policyfrom aws_sqs_queuewhere redrive_policy is null;
List FIFO queues
Discover the segments that utilize first-in, first-out (FIFO) queues in AWS Simple Queue Service (SQS), allowing you to better manage and prioritize tasks in your applications.
select title, fifo_queuefrom aws_sqs_queuewhere fifo_queue;
select title, fifo_queuefrom aws_sqs_queuewhere fifo_queue = 1;
List queues with policy statements that grant cross-account access
Discover the segments that have policy statements granting cross-account access within your queue system. This can be useful in identifying potential security risks and ensuring proper access management.
select title, p as principal, a as action, s ->> 'Effect' as effect, s -> 'Condition' as conditionsfrom aws_sqs_queue, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, string_to_array(p, ':') as pa, jsonb_array_elements_text(s -> 'Action') as awhere s ->> 'Effect' = 'Allow' and ( pa [ 5 ] != account_id or p = '*' );
Error: The corresponding SQLite query is unavailable.
List queues with policy statements that grant anoymous access
Determine the areas in your AWS SQS queues where policy statements permit anonymous access. This is useful for identifying potential security vulnerabilities and ensuring that your queues are only accessible to authorized users.
select title, p as principal, a as action, s ->> 'Effect' as effect, s -> 'Condition' as conditionsfrom aws_sqs_queue, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, jsonb_array_elements_text(s -> 'Action') as awhere p = '*' and s ->> 'Effect' = 'Allow';
select title, p as principal, a as action, json_extract(s, '$.Effect') as effect, json_extract(s, '$.Condition') as conditionsfrom aws_sqs_queue, json_each(json_extract(policy_std, '$.Statement')) as s, json_each( json_extract(json_extract(s.value, '$.Principal'), '$.AWS') ) as p, json_each(json_extract(s.value, '$.Action')) as awhere p.value = '*' and json_extract(s.value, '$.Effect') = 'Allow';
List queues with policy statements that grant full access (sqs:*)
Determine the areas in your AWS SQS queues where policy statements grant full access. This is useful for identifying potential security risks and ensuring that access permissions are appropriately restricted.
select title, p as principal, a as action, s ->> 'Effect' as effect, s -> 'Condition' as conditionsfrom aws_sqs_queue, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, jsonb_array_elements_text(s -> 'Action') as awhere s ->> 'Effect' = 'Allow' and a in ('*', 'sqs:*');
Error: The corresponding SQLite query is unavailable.
Schema for aws_sqs_queue
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
content_based_deduplication | text | Mentions whether content-based deduplication is enabled for the queue. | |
deduplication_scope | text | Specifies whether message deduplication occurs at the message group or queue level. | |
delay_seconds | text | The default delay on the queue in seconds. | |
fifo_queue | boolean | Returns true if the queue is FIFO. | |
fifo_throughput_limit | text | Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group. | |
kms_master_key_id | text | The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK. | |
max_message_size | text | The limit of how many bytes a message can contain before Amazon SQS rejects it. | |
message_retention_seconds | text | The length of time, in seconds, for which Amazon SQS retains a message. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
policy | jsonb | The resource IAM policy of the queue. | |
policy_std | jsonb | Contains the policy in a canonical form for easier searching. | |
queue_arn | text | The Amazon resource name (ARN) of the queue. | |
queue_url | text | = | The URL of the Amazon SQS queue. |
receive_wait_time_seconds | text | The length of time, in seconds, for which the ReceiveMessage action waits for a message to arrive. | |
redrive_policy | jsonb | The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. | |
region | text | The AWS Region in which the resource is located. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
sqs_managed_sse_enabled | boolean | Returns true if the queue is using SSE-SQS encryption with SQS-owned encryption keys. | |
tags | jsonb | A map of tags for the resource. | |
title | text | Title of the resource. | |
visibility_timeout_seconds | text | The visibility timeout for the queue in seconds. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_sqs_queue