SQS Policy With Public Access

  • Query id: d994585f-defb-4b51-b6d2-c70f020ceb10
  • Query name: SQS Policy With Public Access
  • Platform: Ansible
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
- name: First SQS queue with policy
  community.aws.sqs_queue:
    name: my-queue1
    region: ap-southeast-1
    default_visibility_timeout: 120
    message_retention_period: 86400
    maximum_message_size: 1024
    delivery_delay: 30
    receive_message_wait_time: 20
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "sqs:*"
        Resource: "*"
        Principal: "*"
    make_default: false
    state: present
- name: Second SQS queue with policy
  community.aws.sqs_queue:
    name: my-queue2
    region: ap-southeast-3
    default_visibility_timeout: 120
    message_retention_period: 86400
    maximum_message_size: 1024
    delivery_delay: 30
    receive_message_wait_time: 20
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "*"
        Resource: "*"
        Principal:
          AWS: "*"
    make_default: false
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: First SQS queue with policy
  community.aws.sqs_queue:
    name: my-queue1
    region: ap-southeast-1
    default_visibility_timeout: 120
    message_retention_period: 86400
    maximum_message_size: 1024
    delivery_delay: 30
    receive_message_wait_time: 20
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: sqs:*
        Resource: '*'
        Principal: Principal
    make_default: false
    state: present