SQS Queue Policy Allows NotAction

  • Query id: 4fbfee74-8186-40d5-a24e-4baa76a855de
  • Query name: SQS Queue Policy Allows NotAction
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
Resources:
  SampleSQSPolicy2:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
      PolicyDocument:
        Statement:
          -
            NotAction:
              - "SQS:SendMessage"
              - "SQS:ReceiveMessage"
            Effect: "Allow"
            Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
            Principal:
              AWS:
                - "111122223333"
Postitive test num. 2 - json file
{
  "Resources": {
    "SampleSQSPolicy2": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "NotAction": [
                "SQS:SendMessage",
                "SQS:ReceiveMessage"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
              "Principal": {
                "AWS": [
                  "111122223333"
                ]
              }
            }
          ]
        },
        "Queues": [
          "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  SampleSQSPolicy1:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
      PolicyDocument:
        Statement:
          -
            Action:
              - "SQS:SendMessage"
              - "SQS:ReceiveMessage"
            Effect: "Allow"
            Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
            Principal:
              AWS:
                - "111122223333"
Negative test num. 2 - json file
{
  "Resources": {
    "SampleSQSPolicy1": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "Queues": [
          "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
        ],
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "SQS:SendMessage",
                "SQS:ReceiveMessage"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
              "Principal": {
                "AWS": [
                  "111122223333"
                ]
              }
            }
          ]
        }
      }
    }
  }
}