Amazon SQS (Simple Queue Service)
  1. Knowledge Base
  2. AWS Knowledge Base
  3. Amazon SQS (Simple Queue Service)

SQS Missing Dead Letter Queue

This plugin ensures that each Amazon SQS queue has Dead Letter Queue configured.

Risk Level: LOW

Description:

This plugin ensures that each Amazon SQS queue has Dead Letter Queue configured. Amazon SQS queues should have a dead letter queue configured to avoid data loss for unprocessed messages.

About the Service :

SQS (Amazon Simple Queue Service) is a fully managed message queuing service for decoupling and scaling microservices, distributed systems, and serverless applications. SQS removes the complexity and overhead of managing and operating message-oriented middleware, allowing developers to concentrate on work that is unique. You may send, store, and receive messages across software components using SQS at any volume without losing messages or necessitating the availability of other services.

Impact:

Ensure that each AWS Simple Queue Service (SQS) queue is configured to use a Dead Letter Queue (DLQ) to help sustain queue flow and prevent data loss by recognizing and mitigating errors and service outages as soon as possible. A Dead Letter Queue is an SQS queue that can isolate messages that can't be processed properly for further study. It's handy for troubleshooting your application or messaging system.

Steps to reproduce :

  1. Sign in to your AWS Management Console.
  2. Navigate to the SQS dashboard at: https://console.aws.amazon.com/sqs/
  3. Select the SQS queue that you want to examine.
  4. Click on the Dead-Letter queue tab and click on Edit.
  5. Check for the Redrive allow policy and for the Dead-Letter queue options.

  6. If there is no Redrive policy configured, and the dead-letter queue is disabled, the selected AWS SQS queue does not have a Dead Letter Queue configured to help maintain the queue flow.
  7. Repeat steps no. 3-6 for each SQS present in the current region as well as for other regions.

Steps for remediation :

  1. Sign in to your AWS Management Console.
  2. Navigate to the SQS dashboard at: https://console.aws.amazon.com/sqs/
  3. Select the SQS queue that you want to examine.
  4. Click on the Dead-Letter queue tab and click on Edit.
  5. Go to Redrive allow policy and click on Enable.
  6. Go to Dead-letter queue and click on Enable, then from choose queue dropdown list, select a favorable queue.
  7. Click on Save changes to apply the changes.
  8. The newly created DLQ can now receive unprocessed messages from the source SQS queue.
  9. Repeat steps no. 3-7 for each SQS present in the current region as well as for other regions.

References: