SQS Queue is exposed

aws_sqs_queue_exposed

Severity

critical

Vendor

AWS

Resource

IAM

Description

SQS Queue is exposed. The policy configured has access for all users. You have the configuration Effect=Allow, Principal="*".

To fix it, you must configure the users or services that allow access in the Principal property.

Learn more about this topic at AWS SQS Queue policy.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Example queue allowing s3 bucket notifications
      sqs_queue:
        name: "S3Notifications"
        default_visibility_timeout: 120
        message_retention_period: 86400
        maximum_message_size: 1024
        delivery_delay: 30
        receive_message_wait_time: 20
        policy:
          Version: 2012-10-17
          Id: s3-queue-policy
          Statement:
            - Sid: allowNotifications
              Effect: Allow
              Principal: "*"
              Action:
                - SQS:SendMessage
              Resource: "arn:aws:sqs:*:*:S3Notifications"
              Condition:
                ArnLike:
                  aws:SourceArn: "arn:aws:s3:*:*:SomeBucket"

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Example queue allowing s3 bucket notifications
      sqs_queue:
        name: "S3Notifications"
        default_visibility_timeout: 120
        message_retention_period: 86400
        maximum_message_size: 1024
        delivery_delay: 30
        receive_message_wait_time: 20
        policy:
          Version: 2012-10-17
          Id: s3-queue-policy
          Statement:
            - Sid: allowNotifications
              Effect: Allow
              Principal:
                Service: s3.amazonaws.com
              Action:
                - SQS:SendMessage
              Resource: "arn:aws:sqs:*:*:S3Notifications"
              Condition:
                ArnLike:
                  aws:SourceArn: "arn:aws:s3:*:*:SomeBucket"