SQS Queue Exposed

  • Query id: 86b0efa7-4901-4edd-a37a-c034bec6645a
  • Query name: SQS Queue Exposed
  • Platform: Ansible
  • Severity: High
  • Category: Access Control
  • URL: Github

Description

Checks if the SQS Queue is exposed
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: example
  community.aws.sqs_queue:
    name: my-queue
    region: ap-southeast-2
    default_visibility_timeout: 120
    message_retention_period: 86400
    maximum_message_size: 1024
    delivery_delay: 30
    receive_message_wait_time: 20
    policy:
      Version: '2012-10-17'
      Id: sqspolicy
      Statement:
        Sid: First
        Effect: Allow
        Principal: '*'
        Action: sqs:SendMessage
        Resource: ${aws_sqs_queue.q.arn}
        Condition:
          ArnEquals:
          aws:SourceArn: ${aws_sns_topic.example.arn}
- name: example with list
  community.aws.sqs_queue:
    name: my-queue12
    region: ap-southeast-1
    default_visibility_timeout: 120
    message_retention_period: 86400
    maximum_message_size: 1024
    delivery_delay: 30
    receive_message_wait_time: 20
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "sqs:*"
        Resource: "*"
        Principal: "*"
    make_default: false
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: example
  community.aws.sqs_queue:
    name: my-queue
    region: ap-southeast-2
    default_visibility_timeout: 120
    message_retention_period: 86400
    maximum_message_size: 1024
    delivery_delay: 30
    receive_message_wait_time: 20
    policy:
      Version: '2012-10-17'
      Id: sqspolicy
      Statement:
        Sid: First
        Effect: Allow
        Action: sqs:SendMessage
        Resource: ${aws_sqs_queue.q.arn}
        Condition:
          ArnEquals:
          aws:SourceArn: ${aws_sns_topic.example.arn}