SQS Queue Policy Allows NotAction
- Query id: 4fbfee74-8186-40d5-a24e-4baa76a855de
- Query name: SQS Queue Policy Allows NotAction
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
Resources:
SampleSQSPolicy2:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
NotAction:
- "SQS:SendMessage"
- "SQS:ReceiveMessage"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
Principal:
AWS:
- "111122223333"
Postitive test num. 2 - json file
{
"Resources": {
"SampleSQSPolicy2": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"NotAction": [
"SQS:SendMessage",
"SQS:ReceiveMessage"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"Principal": {
"AWS": [
"111122223333"
]
}
}
]
},
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
SampleSQSPolicy1:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:ReceiveMessage"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
Principal:
AWS:
- "111122223333"
Negative test num. 2 - json file
{
"Resources": {
"SampleSQSPolicy1": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
],
"PolicyDocument": {
"Statement": [
{
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"Principal": {
"AWS": [
"111122223333"
]
}
}
]
}
}
}
}
}