AWS SQS policy document has wildcard action statement.
SQS Policy actions should always be restricted to a specific set.
This ensures that the queue itself cannot be modified or deleted, and prevents possible future additions to queue actions to be implicitly allowed.
Impact
SQS policies with wildcard actions allow more that is required
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Keep policy scope to the minimum that is required to be effective
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
AWSTemplateFormatVersion: 2010-09-09
Description: Good example of queue policy
Resources:
MyQueue:
Type: AWS::SQS::Queue
Properties:
Name: something
SampleSQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- Ref: MyQueue
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:ReceiveMessage"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
Principal:
AWS:
- "111122223333"
|
Keep policy scope to the minimum that is required to be effective
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
resource "aws_sqs_queue_policy" "good_example" {
queue_url = aws_sqs_queue.q.id
policy = <<POLICY
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage"
}
]
}
POLICY
}
|
Links