No Wildcards In Policy Documents | Vulnerability Database

AWS SQS policy document has wildcard action statement.

SQS Policy actions should always be restricted to a specific set. This ensures that the queue itself cannot be modified or deleted, and prevents possible future additions to queue actions to be implicitly allowed.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Keep policy scope to the minimum that is required to be effective

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


AWSTemplateFormatVersion: "2010-09-09"

Description: Good example of queue policy

Resources:
  MyQueue:
    Type: AWS::SQS::Queue
    Properties:
      Name: something

  SampleSQSPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - SQS:SendMessage
              - SQS:ReceiveMessage
            Effect: Allow
            Principal:
              AWS:
                - "111122223333"
            Resource: arn:aws:sqs:us-east-2:444455556666:queue2
      Queues:
        - !Ref MyQueue

Keep policy scope to the minimum that is required to be effective

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


resource "aws_sqs_queue_policy" "good_example" {
  queue_url = aws_sqs_queue.q.id

  policy = <<POLICY
 {
   "Statement": [
     {
       "Effect": "Allow",
       "Principal": "*",
       "Action": "sqs:SendMessage"
     }
   ]
 }
 POLICY
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy