SQS Policy Allows All Actions
- Query id: ed9b3beb-92cf-44d9-a9d2-171eeba569d4
- Query name: SQS Policy Allows All Actions
- Platform: Ansible
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
SQS policy allows ALL (*) actions
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: Second SQS queue with policy
community.aws.sqs_queue:
name: my-queue2
region: ap-southeast-3
default_visibility_timeout: 120
message_retention_period: 86400
maximum_message_size: 1024
delivery_delay: 30
receive_message_wait_time: 20
policy:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "aws:action"
Resource: "*"
- Effect: "Allow"
Action: "*"
Resource: "*"
make_default: false
state: present
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Create SQS queue with redrive policy
community.aws.sqs_queue:
name: my-queue
region: ap-southeast-2
default_visibility_timeout: 120
message_retention_period: 86400
maximum_message_size: 1024
delivery_delay: 30
receive_message_wait_time: 20
policy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: logs:CreateLogGroup
Resource: '*'
make_default: false
state: present