CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00322
- creditSnyk Research Team
Description
Using the wildcard action in an SQS policy grants permission to perform any action, which is against 'least privilege' principle.
How to fix?
Ensure that the Action field in the policy heredoc is set to specific actions, for examplesqs:SendMessage.
Example Configuration
resource "aws_sqs_queue_policy" "q" {
policy = <<POLICY
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage",
# other required fields here
}
]
}
POLICY
}
Ensure that the Action field in the Properties.PolicyDocument attribute is set to specific actions, for example sqs:SendMessage.
Example Configuration
JSON example configuration:
"ExampleSQSPolicy" : {
"Properties" : {
"PolicyDocument": {
"Statement":[{
"Action":["SQS:SendMessage"],
"Effect":"Allow",
"Principal": "*"
// other required fields here
}]
}
}
}
YAML example configuration:
ExampleSQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
Effect: "Allow"
Principal: "*"
<!-- other required fields here -->