{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-guides/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["partial"]},"type":"markdown"},"seo":{"title":"AWS EventBridge SQS Configuration Guide","siteUrl":"https://docs.synqly.com","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This guide walks you through creating Amazon EventBridge rules that route Cloud Security events to"," ","SQS queues, and configuring Synqly to read those queues. Each operation type can use a separate"," ","queue, so you deploy one EventBridge pipeline per operation. The integration uses the same AWS"," ","credential options as other AWS providers: static credentials (IAM user access keys) or role-based"," ","access (IAM role assumption)."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For AWS EventBridge SQS, the recommended split is:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Queue key"},"children":["Queue key"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Intended source"},"children":["Intended source"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Purpose"},"children":["Purpose"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_compliance_findings"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Security Hub compliance/control findings"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Compliance Finding data"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_threats"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Security Hub threat/detection findings and/or native GuardDuty findings"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Detection / threat data"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_cloud_resource_inventory"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Reserved for a future inventory pipeline"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Cloud resource inventory"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_events"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Reserved for a future events pipeline"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Cloud activity events"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Today, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_compliance_findings"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_threats"]}," are supported in the AWS EventBridge SQS"," ","provider. The other queue keys are available in configuration so you can pre-wire queues as the"," ","additional operations are implemented."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"prerequisites","__idx":0},"children":["Prerequisites"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before you begin, ensure the following AWS services are enabled in your target account and Region:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["AWS Security Hub"]}," – Publishes compliance/control findings and can also aggregate partner or"," ","service findings. See: ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html"},"children":["Enabling Security Hub"," ","CSPM"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["AWS GuardDuty"]}," – Publishes detection findings. See: ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html"},"children":["Getting started with"," ","GuardDuty"]},"."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If you want Security Hub to aggregate GuardDuty findings, open Security Hub → ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Integrations"]}," and"," ","ensure ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Amazon: GuardDuty"]}," shows ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Accepting findings"]},". See: ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://docs.aws.amazon.com/guardduty/latest/ug/securityhub-integration.html"},"children":["Integrating with AWS Security"," ","Hub"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"deploy-the-eventbridge-pipelines","__idx":1},"children":["Deploy the EventBridge pipelines"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Deploy one CloudFormation stack per queue. The recommended starting point is:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["compliance"]}," stack for ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_compliance_findings"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["threats"]}," stack for ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_threats"]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Each stack creates:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["An ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SQS Standard queue"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["An ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["IAM role"]}," that lets EventBridge send messages to that queue"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["One or more ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["EventBridge rules"]}," that route the intended source events into that queue"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"compliance-template","__idx":2},"children":["Compliance template"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use this queue for ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["queues.query_compliance_findings"]},". It accepts only Security Hub"," ","compliance/control findings, rather than all Security Hub or GuardDuty findings."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The compliance rule is intentionally strict. It keeps only:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["source = aws.securityhub"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["detail-type = Security Hub Findings - Imported"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["ProductName = Security Hub"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["GeneratorId"]}," values that start with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["security-control/"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["findings with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Compliance.SecurityControlId"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Compliance.Status"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["RecordState = ACTIVE"]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This keeps the compliance queue aligned with OCSF ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Compliance Finding"]}," data and avoids mixing in"," ","threat/detection findings."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Save the following template as ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["eventbridge-sqs-compliance.yaml"]}," and deploy it:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"yaml","header":{"controls":{"copy":{}}},"source":"AWSTemplateFormatVersion: \"2010-09-09\"\nDescription: >\n Send Security Hub compliance/control findings to an SQS Standard queue via EventBridge.\n\nParameters:\n QueueName:\n Type: String\n Default: synqly-compliance-findings\n Description: \"Name of the SQS Standard queue that will hold Security Hub compliance/control findings.\"\n\nResources:\n SecurityEventsQueue:\n Type: AWS::SQS::Queue\n Properties:\n QueueName: !Ref QueueName\n MessageRetentionPeriod: 1209600\n VisibilityTimeout: 60\n\n EventBridgeToSqsRole:\n Type: AWS::IAM::Role\n Properties:\n AssumeRolePolicyDocument:\n Version: \"2012-10-17\"\n Statement:\n - Effect: Allow\n Principal:\n Service: events.amazonaws.com\n Action: sts:AssumeRole\n Policies:\n - PolicyName: \"SendEventsToSqsPolicy\"\n PolicyDocument:\n Version: \"2012-10-17\"\n Statement:\n - Effect: Allow\n Action:\n - sqs:SendMessage\n Resource: !GetAtt SecurityEventsQueue.Arn\n\n SecurityEventsRule:\n Type: AWS::Events::Rule\n Properties:\n Description: \"Send Security Hub compliance/control findings to an SQS Standard queue\"\n EventBusName: \"default\"\n State: ENABLED\n EventPattern:\n source:\n - \"aws.securityhub\"\n detail-type:\n - \"Security Hub Findings - Imported\"\n detail:\n findings:\n ProductArn:\n - prefix: \"arn:aws:securityhub:\"\n ProductName:\n - \"Security Hub\"\n GeneratorId:\n - prefix: \"security-control/\"\n Compliance:\n SecurityControlId:\n - exists: true\n Status:\n - exists: true\n RecordState:\n - \"ACTIVE\"\n Targets:\n - Id: \"SecurityEventsQueueTarget\"\n Arn: !GetAtt SecurityEventsQueue.Arn\n RoleArn: !GetAtt EventBridgeToSqsRole.Arn\n\nOutputs:\n QueueUrl:\n Description: \"URL of the SQS Standard queue that receives compliance findings\"\n Value: !Ref SecurityEventsQueue\n\n QueueArn:\n Description: \"ARN of the SQS Standard queue that receives compliance findings\"\n Value: !GetAtt SecurityEventsQueue.Arn\n\n EventBridgeRoleArn:\n Description: \"IAM role used by EventBridge to send messages to the SQS queue\"\n Value: !GetAtt EventBridgeToSqsRole.Arn\n","lang":"yaml"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["These queue settings are intentional:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["MessageRetentionPeriod: 1209600"]}," keeps messages for 14 days, which is the maximum SQS"," ","retention window and gives you more time to recover if Synqly is temporarily unable to consume"," ","the queue."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["VisibilityTimeout: 60"]}," hides a received message for 60 seconds so Synqly can process and delete"," ","it without immediate redelivery."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"threats-template","__idx":3},"children":["Threats template"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use this queue for ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["queues.query_threats"]},". It creates a single SQS queue and routes:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Security Hub threat/detection findings"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Native GuardDuty findings"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The threats stack uses two EventBridge rules that feed the same queue:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A Security Hub rule that keeps active threat findings and excludes compliance/control findings by"," ","requiring ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Types = Threats"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Compliance.SecurityControlId = false"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A GuardDuty rule that accepts native ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["GuardDuty Finding"]}," events directly"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Save the following template as ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["eventbridge-sqs-threats.yaml"]}," and deploy it:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"yaml","header":{"controls":{"copy":{}}},"source":"AWSTemplateFormatVersion: \"2010-09-09\"\nDescription: >\n Send Security Hub threat/detection findings and native GuardDuty findings to an SQS Standard queue via EventBridge.\n\nParameters:\n QueueName:\n Type: String\n Default: synqly-threat-findings\n Description: \"Name of the SQS Standard queue that will hold Security Hub threat/detection findings and GuardDuty findings.\"\n\nResources:\n ThreatEventsQueue:\n Type: AWS::SQS::Queue\n Properties:\n QueueName: !Ref QueueName\n MessageRetentionPeriod: 1209600\n VisibilityTimeout: 60\n\n EventBridgeToSqsRole:\n Type: AWS::IAM::Role\n Properties:\n AssumeRolePolicyDocument:\n Version: \"2012-10-17\"\n Statement:\n - Effect: Allow\n Principal:\n Service: events.amazonaws.com\n Action: sts:AssumeRole\n Policies:\n - PolicyName: \"SendThreatEventsToSqsPolicy\"\n PolicyDocument:\n Version: \"2012-10-17\"\n Statement:\n - Effect: Allow\n Action:\n - sqs:SendMessage\n Resource: !GetAtt ThreatEventsQueue.Arn\n\n SecurityHubThreatsRule:\n Type: AWS::Events::Rule\n Properties:\n Description: \"Send Security Hub threat/detection findings to an SQS Standard queue\"\n EventBusName: \"default\"\n State: ENABLED\n EventPattern:\n source:\n - \"aws.securityhub\"\n detail-type:\n - \"Security Hub Findings - Imported\"\n detail:\n findings:\n RecordState:\n - \"ACTIVE\"\n Types:\n - \"Threats\"\n Compliance:\n SecurityControlId:\n - exists: false\n Targets:\n - Id: \"SecurityHubThreatsQueueTarget\"\n Arn: !GetAtt ThreatEventsQueue.Arn\n RoleArn: !GetAtt EventBridgeToSqsRole.Arn\n\n GuardDutyThreatsRule:\n Type: AWS::Events::Rule\n Properties:\n Description: \"Send native GuardDuty findings to an SQS Standard queue\"\n EventBusName: \"default\"\n State: ENABLED\n EventPattern:\n source:\n - \"aws.guardduty\"\n detail-type:\n - \"GuardDuty Finding\"\n Targets:\n - Id: \"GuardDutyThreatsQueueTarget\"\n Arn: !GetAtt ThreatEventsQueue.Arn\n RoleArn: !GetAtt EventBridgeToSqsRole.Arn\n\nOutputs:\n QueueUrl:\n Description: \"URL of the SQS Standard queue that receives threat findings\"\n Value: !Ref ThreatEventsQueue\n\n QueueArn:\n Description: \"ARN of the SQS Standard queue that receives threat findings\"\n Value: !GetAtt ThreatEventsQueue.Arn\n\n EventBridgeRoleArn:\n Description: \"IAM role used by EventBridge to send messages to the SQS queue\"\n Value: !GetAtt EventBridgeToSqsRole.Arn\n","lang":"yaml"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["These queue settings are intentional:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["MessageRetentionPeriod: 1209600"]}," keeps messages for 14 days, which is the maximum SQS"," ","retention window and gives you more time to recover if Synqly is temporarily unable to consume"," ","the queue."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["VisibilityTimeout: 60"]}," hides a received message for 60 seconds so Synqly can process and delete"," ","it without immediate redelivery."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"deploy-the-stacks","__idx":4},"children":["Deploy the stacks"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["From a directory containing the templates:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"aws cloudformation deploy \\\n --template-file eventbridge-sqs-compliance.yaml \\\n --stack-name eventbridge-sqs-compliance \\\n --region us-east-1 \\\n --capabilities CAPABILITY_NAMED_IAM\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"aws cloudformation deploy \\\n --template-file eventbridge-sqs-threats.yaml \\\n --stack-name eventbridge-sqs-threats \\\n --region us-east-1 \\\n --capabilities CAPABILITY_NAMED_IAM\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To use different queue names:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"--parameter-overrides QueueName=my-security-queue\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Recommended defaults:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Compliance queue: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["synqly-compliance-findings"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Threats queue: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["synqly-threat-findings"]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"retrieve-stack-outputs","__idx":5},"children":["Retrieve stack outputs"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After deployment, get the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Queue URL"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Queue ARN"]}," from each stack:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"aws cloudformation describe-stacks \\\n --stack-name eventbridge-sqs-compliance \\\n --region us-east-1 \\\n --query 'Stacks[0].Outputs'\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"aws cloudformation describe-stacks \\\n --stack-name eventbridge-sqs-threats \\\n --region us-east-1 \\\n --query 'Stacks[0].Outputs'\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Copy each ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["QueueUrl"]}," value that you want to use in the integration. The URL includes your AWS"," ","account ID, for example:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://sqs.us-east-1.amazonaws.com/123456789012/synqly-compliance-findings"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://sqs.us-east-1.amazonaws.com/123456789012/synqly-threat-findings"]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To find your account ID separately, run ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["aws sts get-caller-identity"]}," and use the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Account"]}," value."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"add-sqs-consumer-permissions","__idx":6},"children":["Add SQS Consumer Permissions"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The credential (IAM user or role) used by Synqly must have these permissions on each queue you configure:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["sqs:ReceiveMessage"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["sqs:DeleteMessage"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["sqs:GetQueueAttributes"]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If you use an ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["AdministratorAccess"]}," role, you already have them. Otherwise, create a policy with the queue ARN and attach it to the identity Synqly uses."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Get the queue ARN"]}," from the stack outputs (see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"#retrieve-stack-outputs"},"children":["Retrieve stack outputs"]}," above), or run:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"aws cloudformation describe-stacks \\\n --stack-name eventbridge-sqs-compliance \\\n --region us-east-1 \\\n --query 'Stacks[0].Outputs[?OutputKey==`QueueArn`].OutputValue' \\\n --output text\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If you also deploy the threats stack, repeat the same command with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["--stack-name eventbridge-sqs-threats"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Example policy"]}," (replace the queue ARNs with the queues you use):"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sqs:ReceiveMessage\",\n \"sqs:DeleteMessage\",\n \"sqs:GetQueueAttributes\"\n ],\n \"Resource\": [\n \"\",\n \"\"\n ]\n }\n ]\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Attach this policy to the IAM user or role (or SSO permission set) that Synqly uses."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"aws-credentials-configuration","__idx":7},"children":["AWS Credentials Configuration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Synqly supports two methods for authenticating with AWS: static credentials (IAM user access keys)"," ","and role-based access (IAM role assumption). Role-based access is recommended for production"," ","environments because it uses short-lived credentials and provides better auditability through"," ","CloudTrail."]},{"$$mdtype":"Tag","name":"Tabs","attributes":{"size":"medium"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"label":"Role-Based Access","disable":false},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"role-based-access","__idx":8},"children":["Role-Based Access"]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Role-Based access is recommended and is considered an ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles"},"children":["AWS best"," ","practice"]},"."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Role-based access uses AWS IAM roles to grant Synqly temporary credentials to access resources in"," ","your AWS account. This eliminates long-lived credentials and provides better security through the"," ","principle of least privilege."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"1-create-an-iam-role","__idx":9},"children":["1. Create an IAM Role"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Create a role in your AWS account with a name that starts with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["SynqlyAccess"]}," (for example,"," ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["SynqlyAccessS3Reader"]},"). This naming convention is required."]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the AWS IAM console, go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Roles"]}," and choose ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create role"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For trusted entity type, choose ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Custom trust policy"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enter the following trust policy:"]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::733459310821:role/SynqlyIntegrationAccess\"\n },\n \"Action\": \"sts:AssumeRole\",\n \"Condition\": {\n \"StringEquals\": {\n \"sts:ExternalId\": \"YOUR_EXTERNAL_ID\"\n }\n }\n }\n ]\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Replace ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["YOUR_EXTERNAL_ID"]}," with a unique identifier you generate (for example, a UUID). You will"," ","provide this External ID when configuring the integration."]},{"$$mdtype":"Tag","name":"ol","attributes":{"start":4},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Name the role with a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["SynqlyAccess"]}," prefix (for example, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["SynqlyAccessMyIntegration"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Attach the appropriate permissions policy for your use case."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Create the role and note its ARN."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For more details, see:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html"},"children":["Access to AWS accounts owned by third"," ","parties"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html"},"children":["Create a role using custom trust"," ","policies"]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"external-id-requirements","__idx":10},"children":["External ID Requirements"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The External ID is a security mechanism that prevents the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html"},"children":["confused deputy"," ","problem"]},". It ensures that"," ","only authorized requests from Synqly can assume your role."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The External ID must contain only the following characters:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Alphanumeric characters (a-z, A-Z, 0-9)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Special characters: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["+ = , . @ : / -"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Must be between 2 and 1224 characters in length"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"configuring-the-integration-credentials","__idx":11},"children":["Configuring the Integration Credentials"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When creating an AWS integration in Synqly, provide the following configuration values based on your"," ","chosen authentication method."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Credential Parameter"},"children":["Credential Parameter"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Role ARN"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The ARN of the IAM role you created, for example ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:iam::123456789012:role/SynqlyAccessMyIntegration"]},". The role name must start with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["SynqlyAccess"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["External ID"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The External ID you specified in the role's trust policy. This value must match exactly"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Role Session Name"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OPTIONAL:"]}," A name for the role session. If not specified, Synqly generates a default session name"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Duration"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OPTIONAL:"]}," The duration of the role session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration configured on your role (default is 1 hour)"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"div","attributes":{"label":"Static Credentials (IAM User)","disable":false},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"static-credentials-iam-user","__idx":12},"children":["Static Credentials (IAM User)"]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["AWS static credentials are ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["NOT RECOMMENDED"]}," for production systems. See the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles"},"children":["AWS best"," ","practices"]}," ","for more details."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Static credentials consist of an Access Key ID and Secret Access Key associated with an IAM user."," ","Use this method for simpler setups."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"1-create-an-iam-user","__idx":13},"children":["1. Create an IAM User"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the AWS IAM console, go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Users"]}," and choose ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create user"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enter a user name (for example, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["SynqlyIntegration"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Do not enable console access; this user only needs programmatic access."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Under permissions, choose ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Attach policies directly"]}," and attach the appropriate policy for your"," ","use case."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Create the user."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"2-create-an-access-key","__idx":14},"children":["2. Create an Access Key"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Open the newly created user and choose ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create access key"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For the use case, choose ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Third-party service"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Create the key and securely copy the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Access Key ID"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Secret Access Key"]},"."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For more details, see:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"},"children":["Managing access keys for IAM"," ","users"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://docs.aws.amazon.com/IAM/latest/UserGuide/access-keys-admin-managed.html"},"children":["How an IAM administrator can manage IAM user access"," ","keys"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"configuring-the-integration-credentials-1","__idx":15},"children":["Configuring the Integration Credentials"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When creating an AWS integration in Synqly, provide the following configuration values based on your"," ","chosen authentication method."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Credential Parameter"},"children":["Credential Parameter"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Access Key ID"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The Access Key ID from your IAM user's access key pair"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Secret Access Key"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The Secret Access Key from your IAM user's access key pair"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Session Token"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OPTIONAL:"]}," A temporary session token. Only required if you are using temporary credentials from AWS STS."]}]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"configure-the-integration","__idx":16},"children":["Configure the Integration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Create your integration by supplying the following configuration values."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Integration Parameter"},"children":["Integration Parameter"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Credential"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["AWS credentials with access to the SQS queue(s) (static or role-based, per the tabs above)."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Queues"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Map of operation to queue URL. Add entries for each operation you want to enable. See below."]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Synqly infers the AWS Region from the configured SQS queue URL. If you configure multiple queues,"," ","use queues from the same AWS Region."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"queues-by-operation","__idx":17},"children":["Queues by operation"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["queues"]}," object to map each Cloud Security operation to its SQS queue URL. Each operation"," ","can use a different queue and EventBridge pipeline."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Queue key"},"children":["Queue key"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Operation"},"children":["Operation"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_compliance_findings"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Compliance findings"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Security Hub compliance/control findings. ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Supported today."]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_threats"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Threats"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Security Hub threat/detection findings and/or GuardDuty findings. ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Supported today."]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_cloud_resource_inventory"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Cloud resource inventory"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Reserved for a future inventory pipeline."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["query_events"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Events"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Reserved for a future events pipeline."]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"configuration-examples","__idx":18},"children":["Configuration examples"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Compliance only:"]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n \"type\": \"cloudsecurity_awseventbridgesqs\",\n \"credential\": { \"...\" },\n \"queues\": {\n \"query_compliance_findings\": \"https://sqs.us-east-1.amazonaws.com/123456789012/synqly-compliance-findings\"\n }\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Compliance + threats:"]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n \"type\": \"cloudsecurity_awseventbridgesqs\",\n \"credential\": { \"...\" },\n \"queues\": {\n \"query_compliance_findings\": \"https://sqs.us-east-1.amazonaws.com/123456789012/synqly-compliance-findings\",\n \"query_threats\": \"https://sqs.us-east-1.amazonaws.com/123456789012/synqly-threat-findings\"\n }\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Legacy (deprecated):"]}," You can still use ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["queue_url"]}," for compliance findings. It is equivalent to"," ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["queues.query_compliance_findings"]},". When both are present, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["queues"]}," takes precedence."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"message-retrieval-limits","__idx":19},"children":["Message retrieval limits"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Synqly retrieves up to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["10 messages"]}," per query or async operation. This limit is imposed by ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-messages.html"},"children":["Amazon SQS message quotas"]},": a single ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["ReceiveMessage"]}," request can return at most 10 messages."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Synqly treats these queues as consumable event queues. After Synqly successfully reads and"," ","processes a message, it deletes that message from SQS so it is not returned again on a later read."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can pass a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["limit"]}," parameter on the API request to request fewer messages (for example, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["limit=5"]},"), but the maximum remains 10."]}]},"headings":[{"value":"Prerequisites","id":"prerequisites","depth":2},{"value":"Deploy the EventBridge pipelines","id":"deploy-the-eventbridge-pipelines","depth":2},{"value":"Compliance template","id":"compliance-template","depth":3},{"value":"Threats template","id":"threats-template","depth":3},{"value":"Deploy the stacks","id":"deploy-the-stacks","depth":3},{"value":"Retrieve stack outputs","id":"retrieve-stack-outputs","depth":3},{"value":"Add SQS Consumer Permissions","id":"add-sqs-consumer-permissions","depth":2},{"value":"AWS Credentials Configuration","id":"aws-credentials-configuration","depth":2},{"value":"Role-Based Access","id":"role-based-access","depth":3},{"value":"1. Create an IAM Role","id":"1-create-an-iam-role","depth":4},{"value":"External ID Requirements","id":"external-id-requirements","depth":3},{"value":"Configuring the Integration Credentials","id":"configuring-the-integration-credentials","depth":3},{"value":"Static Credentials (IAM User)","id":"static-credentials-iam-user","depth":3},{"value":"1. Create an IAM User","id":"1-create-an-iam-user","depth":4},{"value":"2. Create an Access Key","id":"2-create-an-access-key","depth":4},{"value":"Configuring the Integration Credentials","id":"configuring-the-integration-credentials-1","depth":3},{"value":"Configure the Integration","id":"configure-the-integration","depth":2},{"value":"Queues by operation","id":"queues-by-operation","depth":3},{"value":"Configuration examples","id":"configuration-examples","depth":3},{"value":"Message retrieval limits","id":"message-retrieval-limits","depth":2}],"frontmatter":{"slug":"guides/provider-configuration/aws-eventbridge-sqs-setup","seo":{"title":"AWS EventBridge SQS Configuration Guide"}},"lastModified":"2026-05-06T17:04:50.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/provider-configuration/aws-eventbridge-sqs-setup","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}