SQS Queue Exposed
- Query id: 86b0efa7-4901-4edd-a37a-c034bec6645a
- Query name: SQS Queue Exposed
- Platform: Ansible
- Severity: High
- Category: Access Control
- URL: Github
Description¶
Checks if the SQS Queue is exposed
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: example
community.aws.sqs_queue:
name: my-queue
region: ap-southeast-2
default_visibility_timeout: 120
message_retention_period: 86400
maximum_message_size: 1024
delivery_delay: 30
receive_message_wait_time: 20
policy:
Version: '2012-10-17'
Id: sqspolicy
Statement:
Sid: First
Effect: Allow
Principal: '*'
Action: sqs:SendMessage
Resource: ${aws_sqs_queue.q.arn}
Condition:
ArnEquals:
aws:SourceArn: ${aws_sns_topic.example.arn}
- name: example with list
community.aws.sqs_queue:
name: my-queue12
region: ap-southeast-1
default_visibility_timeout: 120
message_retention_period: 86400
maximum_message_size: 1024
delivery_delay: 30
receive_message_wait_time: 20
policy:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "sqs:*"
Resource: "*"
Principal: "*"
make_default: false
state: present
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: example
community.aws.sqs_queue:
name: my-queue
region: ap-southeast-2
default_visibility_timeout: 120
message_retention_period: 86400
maximum_message_size: 1024
delivery_delay: 30
receive_message_wait_time: 20
policy:
Version: '2012-10-17'
Id: sqspolicy
Statement:
Sid: First
Effect: Allow
Action: sqs:SendMessage
Resource: ${aws_sqs_queue.q.arn}
Condition:
ArnEquals:
aws:SourceArn: ${aws_sns_topic.example.arn}