SQS Queue Policy Allows NotPrincipal

  • Query id: 4a8fc9a2-2b2f-4b3f-aa8d-401425872034
  • Query name: SQS Queue Policy Allows NotPrincipal
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using NotPrincipal in the same policy statement as "Effect": "Allow".
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  SampleSQSPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
      PolicyDocument:
        Statement:
          -
            Action:
              - "SQS:SendMessage"
              - "SQS:ReceiveMessage"
            Effect: "Allow"
            Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
            NotPrincipal:
              AWS:
                - "111122223333"
                - "*"
Positive test num. 2 - yaml file
Resources:
  SampleSQSPolicy2:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
      PolicyDocument:
        Statement:
          -
            Action:
              - "SQS:SendMessage"
              - "SQS:CreateQueue"
            Effect: "Allow"
            Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
            NotPrincipal:
              AWS:
                - "111122223333"
Positive test num. 3 - json file
{
  "Resources": {
    "SampleSQSPolicy": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "Queues": [
          "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
        ],
        "PolicyDocument": {
          "Statement": [
            {
              "NotPrincipal": {
                "AWS": [
                  "111122223333",
                  "*"
                ]
              },
              "Action": [
                "SQS:SendMessage",
                "SQS:ReceiveMessage"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2"
            }
          ]
        }
      }
    }
  }
}

Positive test num. 4 - json file
{
  "Resources": {
    "SampleSQSPolicy2": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "Queues": [
          "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
        ],
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "SQS:SendMessage",
                "SQS:CreateQueue"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
              "NotPrincipal": {
                "AWS": [
                  "111122223333"
                ]
              }
            }
          ]
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
  SampleSQSPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
      PolicyDocument:
        Statement:
          -
            Action:
              - "SQS:SendMessage"
              - "SQS:ReceiveMessage"
            Effect: "Deny"
            Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
            NotPrincipal:
              AWS:
                - "111122223333"
                - "*"
Negative test num. 2 - yaml file
Resources:
  SampleSQSPolicy2:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
      PolicyDocument:
        Statement:
          -
            Action:
              - "SQS:SendMessage"
              - "SQS:CreateQueue"
            Effect: "Allow"
            Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
            Principal:
              AWS:
                - "111122223333"
Negative test num. 3 - json file
{
  "Resources": {
    "SampleSQSPolicy": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "Queues": [
          "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
        ],
        "PolicyDocument": {
          "Statement": [
            {
              "NotPrincipal": {
                "AWS": [
                  "111122223333",
                  "*"
                ]
              },
              "Action": [
                "SQS:SendMessage",
                "SQS:ReceiveMessage"
              ],
              "Effect": "Deny",
              "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2"
            }
          ]
        }
      }
    }
  }
}

Negative test num. 4 - json file
{
  "Resources": {
    "SampleSQSPolicy2": {
      "Properties": {
        "Queues": [
          "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
        ],
        "PolicyDocument": {
          "Statement": [
            {
              "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
              "Principal": {
                "AWS": [
                  "111122223333"
                ]
              },
              "Action": [
                "SQS:SendMessage",
                "SQS:CreateQueue"
              ],
              "Effect": "Allow"
            }
          ]
        }
      },
      "Type": "AWS::SQS::QueuePolicy"
    }
  }
}