SQS Policy allow all actions

ID

aws_sqs_policy_actions

Severity

low

Vendor

AWS

Resource

IAM

Tags

reachable

Description

SQS Policy allow all actions, instead of granting permissions gradually as necessary. You have the configuration Effect=Allow, Action="*".

To fix it, you must configure the actions that allow access in the Action property.

Learn more about this topic at AWS SQS.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Example
      sqs_queue:
        name: "S3Notifications"
        default_visibility_timeout: 120
        message_retention_period: 86400
        maximum_message_size: 1024
        delivery_delay: 30
        receive_message_wait_time: 20
        policy:
          Version: 2012-10-17
          Id: s3-queue-policy
          Statement:
            - Sid: allowNotifications
              Effect: Allow
              Principal:
                Service: s3.amazonaws.com
              Action:
                - SQS:*
              Resource: "arn:aws:sqs:*:*:S3Notifications"
              Condition:
                ArnLike:
                  aws:SourceArn: "arn:aws:s3:*:*:SomeBucket"

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Example
      sqs_queue:
        name: "S3Notifications"
        default_visibility_timeout: 120
        message_retention_period: 86400
        maximum_message_size: 1024
        delivery_delay: 30
        receive_message_wait_time: 20
        policy:
          Version: 2012-10-17
          Id: s3-queue-policy
          Statement:
            - Sid: allowNotifications
              Effect: Allow
              Principal:
                Service: s3.amazonaws.com
              Action:
                - SQS:SendMessage
              Resource: "arn:aws:sqs:*:*:S3Notifications"
              Condition:
                ArnLike:
                  aws:SourceArn: "arn:aws:s3:*:*:SomeBucket"