SQS queue policy allows all actions on the resource Affecting SQS service in AWS

Snyk CCSS

General/ Best Practices

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-ControlsCSA-CCMISO-27001SOC-2

Snyk IDSNYK-CC-00322
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

Using the wildcard action in an SQS policy grants permission to perform any action, which is against 'least privilege' principle.

How to fix?

Ensure that the Action field in the policy heredoc is set to specific actions, for examplesqs:SendMessage.

Example configuration:

resource "aws_sqs_queue_policy" "q" {
  policy = <<POLICY
{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:SendMessage",
      # other required fields here
    }
  ]
}
POLICY
}

Ensure that the Action field in the Properties.PolicyDocument attribute is set to specific actions, for example sqs:SendMessage.

Example configuration:

JSON example configuration:

"ExampleSQSPolicy" : {
    "Properties" : {
        "PolicyDocument": {
            "Statement":[{
                "Action":["SQS:SendMessage"],
                "Effect":"Allow",
                "Principal": "*"
                // other required fields here
            }]
        }
    }
}

YAML example configuration:

ExampleSQSPolicy: 
    Type: AWS::SQS::QueuePolicy
    Properties: 
        PolicyDocument: 
            Statement: 
                - 
                    Action: 
                        - "SQS:SendMessage" 
                    Effect: "Allow"
                    Principal: "*"      
                    <!--  other required fields here -->

CloudFormation

AWS::SQS::QueuePolicy

Terraform

Resource: aws_sqs_queue_policy

References

Identity and access management in Amazon SQS