Ensure SQS policy does not allow ALL (*) actions
ID |
sqs_policy |
Severity |
high |
Vendor |
AWS |
Resource |
Amazon Simple Queue Service (SQS) |
Tags |
reachable |
Description
Amazon Web Services (AWS) Simple Queue Service (SQS) is a managed messaging service designed for seamless integration into distributed software systems and components. It offers a versatile web services API that can be utilized with any programming language supported by the AWS SDK.
However, it’s important to note that when making SQS queues public, there is a risk of exposing established interfaces to unintended third parties, potentially allowing unauthorized access to data streams and leading to data leakage to untrusted entities.
Examples
Buildtime
Terraform
resource "aws_sqs_queue_policy" {
queue_url = aws_sqs_queue.q.id
policy = <<POLICY
{
"Id": "sqspolicy",
"Statement": [
{
"Sid": "First",
"Effect": "Allow",
"Principal": "*",
"Action": "*", (1)
"Resource": "${aws_sqs_queue.q.arn}",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "${aws_sns_topic.example.arn}"
}
}
}
]
}
POLICY
}| 1 | The Action attribute inside the policy is too permissive. |
Mitigation / Fix
Buildtime
Terraform
resource "aws_sqs_queue_policy" {
queue_url = aws_sqs_queue.q.id
policy = <<POLICY
{
"Id": "sqspolicy",
"Statement": [
{
"Sid": "First",
"Effect": "Allow",
"Principal": "ARN:01010101010:TEST:SAMPLE",
"Action": "sqs:SendMessage", (1)
"Resource": "${aws_sqs_queue.q.arn}",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "${aws_sns_topic.example.arn}"
}
}
}
]
}
POLICY
}| 1 | Ensure the Action attribute inside the policy is well defined. |