AWS SQS Queue Purge Detection
Detection of AWS Simple Queue Service (SQS) queue purging, which adversaries may leverage to disrupt application workflows, destroy operational data, or impair monitoring and alerting systems by removing critical evidence of malicious activity.
This alert detects the purging of an AWS Simple Queue Service (SQS) queue. AWS SQS is a managed message queuing service commonly used to decouple services and buffer events across distributed and serverless architectures. Adversaries may abuse the PurgeQueue action to remove messages, potentially disrupting application workflows, destroying operational data, or impairing security monitoring and alerting by deleting audit and security events. Defenders should investigate unexpected PurgeQueue events, especially in production environments, to determine whether the action aligns with documented procedures and expected operational behavior. The rule focuses on successful PurgeQueue events within AWS CloudTrail logs and should be deployed to monitor critical SQS queues.
Attack Chain
- An attacker gains access to an AWS account through compromised credentials or a misconfigured IAM role.
- The attacker identifies SQS queues that contain valuable operational or security-related data.
- The attacker uses the
aws sqs purge-queuecommand or AWS API to purge the targeted queue. - The
PurgeQueueAPI call is logged as aPurgeQueueevent in AWS CloudTrail. - All messages within the targeted SQS queue are permanently deleted.
- Downstream systems that rely on messages from the purged queue experience disruption or data loss.
- Security monitoring systems that ingest logs from the purged queue miss critical security events.
- The attacker further exploits the environment, potentially performing data exfiltration or other malicious activities, with reduced visibility due to the purged logs.
Impact
Successful purging of an SQS queue can lead to significant disruption of application workflows and data loss. If the queue contains security-related logs, it can impair monitoring and alerting capabilities, allowing adversaries to operate with reduced visibility. The impact can range from temporary service interruptions to the permanent loss of critical operational data, depending on the purpose and content of the purged queue. This activity could affect a wide range of sectors using AWS SQS, including e-commerce, finance, and healthcare.
Recommendation
- Deploy the Sigma rule "AWS SQS Queue Purge Detected" to your SIEM and tune it for your environment to detect unauthorized queue purges in near real-time.
- Review
aws.cloudtrail.user_identity.arnandaccess_key_idin CloudTrail logs to determine the identity that initiated thePurgeQueueaction. - Reinforce least-privilege IAM policies to limit which identities can perform the
PurgeQueueaction, as outlined in the AWS Knowledge Center – Security Best Practices. - Enhance monitoring and alerting for destructive SQS actions, especially in production environments, using CloudTrail and CloudWatch.
- Investigate events where
event.actionisPurgeQueueandevent.outcomeissuccessin AWS CloudTrail logs.
Detection coverage 2
AWS SQS Queue Purge Detected
mediumDetects when an AWS SQS queue is purged, which could indicate malicious activity aimed at disrupting services or evading detection.
AWS SQS Queue Purge Initiated by Unusual User Agent
lowDetects SQS queue purges initiated by a user agent that is not typically associated with administrative tasks, potentially indicating unauthorized activity.
Detection queries are available on the platform. Get full rules →