AWS SQS Queue Purge

Jan 20, 2026 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS SQS Use Case: Threat Detection Use Case: Log Auditing Tactic: Defense Evasion Resources: Investigation Guide ·

Share on:

Identifies when an AWS Simple Queue Service (SQS) queue is purged. Purging an SQS queue permanently deletes all messages currently in the queue. Adversaries may use this action to disrupt application workflows, destroy operational data, or impair monitoring and alerting by removing messages that contain evidence of malicious activity.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/01/08"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an AWS Simple Queue Service (SQS) queue is purged. Purging an SQS queue permanently deletes all messages
 11currently in the queue. Adversaries may use this action to disrupt application workflows, destroy operational data, or
 12impair monitoring and alerting by removing messages that contain evidence of malicious activity.
 13"""
 14false_positives = [
 15    """
 16    Authorized administrators or automated workflows may purge SQS queues for legitimate operational reasons, such as
 17    clearing stale messages, resetting test environments, or performing approved maintenance. Verify that the action
 18    aligns with documented procedures and expected operational behavior.
 19    """,
 20]
 21from = "now-6m"
 22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS SQS Queue Purge"
 26note = """## Triage and analysis
 27
 28### Investigating AWS SQS Queue Purge
 29
 30AWS SQS is a managed message queuing service commonly used to decouple services and buffer events across distributed and serverless architectures. Purging a queue removes all pending messages and cannot be undone. While this may be required for maintenance or testing, adversaries may abuse this action to disrupt operations, delete forensic evidence, or evade detection by removing queued security or audit events.
 31
 32### Possible investigation steps
 33
 34**Identify the actor**
 35- Review `aws.cloudtrail.user_identity.arn` and `access_key_id` to determine who initiated the purge. Confirm whether this identity typically manages SQS resources and whether the action aligns with their role.
 36
 37**Review the affected queue**
 38- Identify the purged queue using `aws.cloudtrail.request_parameters` or `aws.cloudtrail.resources.arn`. Determine the purpose of the queue and whether it supports critical workflows, security tooling, or monitoring pipelines.
 39
 40**Evaluate the context of the action**
 41- Review the `@timestamp` to determine when the purge occurred and whether it aligns with maintenance windows or
 42  deployment activity.
 43- Examine `source.ip` and `user_agent.original` for anomalies such as unexpected locations, automation tools, or
 44  unfamiliar clients.
 45
 46**Correlate related activity**
 47- Search for other CloudTrail events from the same identity before and after the purge, including IAM changes, credential activity, or additional SQS operations.
 48- Look for signs of follow-on behavior such as queue deletion, policy updates, or attempts to suppress logging.
 49
 50**Validate intent**
 51- Confirm with the queue owner or application team whether the purge was intentional, approved, and expected. If no clear business justification exists, treat the activity as potentially suspicious.
 52
 53### False positive analysis
 54
 55- Queue purges performed during routine maintenance, incident recovery, or test resets may be legitimate.
 56- Automated jobs or cleanup scripts may regularly purge queues as part of normal operation.
 57
 58### Response and remediation
 59
 60- If the purge was unauthorized, immediately restrict SQS permissions for the affected identity and investigate for credential compromise.
 61- Assess operational impact and determine whether downstream systems were disrupted or lost critical data.
 62- Review recent activity to identify any additional attempts to evade detection or disable monitoring.
 63- Reinforce least-privilege IAM policies to limit which identities can perform `PurgeQueue`.
 64- Enhance monitoring and alerting for destructive SQS actions, especially in production environments.
 65- Work with application teams to document approved purge workflows and ensure adequate guardrails are in place.
 66
 67### Additional information
 68- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 69- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 70- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 71"""
 72references = [
 73    "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_PurgeQueue.html",
 74    "https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/",
 75]
 76risk_score = 47
 77rule_id = "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd"
 78severity = "medium"
 79tags = [
 80    "Domain: Cloud",
 81    "Data Source: AWS",
 82    "Data Source: Amazon Web Services",
 83    "Data Source: AWS SQS",
 84    "Use Case: Threat Detection",
 85    "Use Case: Log Auditing",
 86    "Tactic: Defense Evasion",
 87    "Resources: Investigation Guide",
 88]
 89timestamp_override = "event.ingested"
 90type = "query"
 91
 92query = '''
 93event.dataset: "aws.cloudtrail"
 94    and event.provider: "sqs.amazonaws.com"
 95    and event.action: "PurgeQueue"
 96    and event.outcome: "success"
 97'''
 98
 99
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1562"
104name = "Impair Defenses"
105reference = "https://attack.mitre.org/techniques/T1562/"
106[[rule.threat.technique.subtechnique]]
107id = "T1562.008"
108name = "Disable or Modify Cloud Logs"
109reference = "https://attack.mitre.org/techniques/T1562/008/"
110
111
112
113[rule.threat.tactic]
114id = "TA0005"
115name = "Defense Evasion"
116reference = "https://attack.mitre.org/tactics/TA0005/"
117
118[rule.investigation_fields]
119field_names = [
120    "@timestamp",
121    "user.name",
122    "user_agent.original",
123    "source.ip",
124    "aws.cloudtrail.user_identity.arn",
125    "aws.cloudtrail.user_identity.type",
126    "aws.cloudtrail.user_identity.access_key_id",
127    "aws.cloudtrail.resources.arn",
128    "aws.cloudtrail.resources.type",
129    "event.action",
130    "event.outcome",
131    "cloud.account.id",
132    "cloud.region",
133    "aws.cloudtrail.request_parameters",
134]

Triage and analysis

Investigating AWS SQS Queue Purge

AWS SQS is a managed message queuing service commonly used to decouple services and buffer events across distributed and serverless architectures. Purging a queue removes all pending messages and cannot be undone. While this may be required for maintenance or testing, adversaries may abuse this action to disrupt operations, delete forensic evidence, or evade detection by removing queued security or audit events.

Possible investigation steps

Identify the actor

Review aws.cloudtrail.user_identity.arn and access_key_id to determine who initiated the purge. Confirm whether this identity typically manages SQS resources and whether the action aligns with their role.

Review the affected queue

Identify the purged queue using aws.cloudtrail.request_parameters or aws.cloudtrail.resources.arn. Determine the purpose of the queue and whether it supports critical workflows, security tooling, or monitoring pipelines.

Evaluate the context of the action

Review the @timestamp to determine when the purge occurred and whether it aligns with maintenance windows or deployment activity.
Examine source.ip and user_agent.original for anomalies such as unexpected locations, automation tools, or unfamiliar clients.

Correlate related activity

Search for other CloudTrail events from the same identity before and after the purge, including IAM changes, credential activity, or additional SQS operations.
Look for signs of follow-on behavior such as queue deletion, policy updates, or attempts to suppress logging.

Validate intent

Confirm with the queue owner or application team whether the purge was intentional, approved, and expected. If no clear business justification exists, treat the activity as potentially suspicious.

False positive analysis

Queue purges performed during routine maintenance, incident recovery, or test resets may be legitimate.
Automated jobs or cleanup scripts may regularly purge queues as part of normal operation.

Response and remediation

If the purge was unauthorized, immediately restrict SQS permissions for the affected identity and investigate for credential compromise.
Assess operational impact and determine whether downstream systems were disrupted or lost critical data.
Review recent activity to identify any additional attempts to evade detection or disable monitoring.
Reinforce least-privilege IAM policies to limit which identities can perform PurgeQueue.
Enhance monitoring and alerting for destructive SQS actions, especially in production environments.
Work with application teams to document approved purge workflows and ensure adequate guardrails are in place.

Additional information

References

PurgeQueue - Amazon Simple Queue Service

Deletes available messages in a queue (including in-flight messages) specified by the QueueURL parameter.

Read More
Exploiting Public AWS Resources Programmatically - The Playbook - Hacking The Cloud

A playbook on how to exploit AWS resources that can be misconfigured via resource-based policies.

Read More