SQS Queue Policy Allows NotPrincipal
- Query id: 4a8fc9a2-2b2f-4b3f-aa8d-401425872034
- Query name: SQS Queue Policy Allows NotPrincipal
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using NotPrincipal
in the same policy statement as "Effect": "Allow"
.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
SampleSQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:ReceiveMessage"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
NotPrincipal:
AWS:
- "111122223333"
- "*"
Positive test num. 2 - yaml file
Resources:
SampleSQSPolicy2:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:CreateQueue"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
NotPrincipal:
AWS:
- "111122223333"
Positive test num. 3 - json file
{
"Resources": {
"SampleSQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
],
"PolicyDocument": {
"Statement": [
{
"NotPrincipal": {
"AWS": [
"111122223333",
"*"
]
},
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2"
}
]
}
}
}
}
}
Positive test num. 4 - json file
{
"Resources": {
"SampleSQSPolicy2": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
],
"PolicyDocument": {
"Statement": [
{
"Action": [
"SQS:SendMessage",
"SQS:CreateQueue"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"NotPrincipal": {
"AWS": [
"111122223333"
]
}
}
]
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
SampleSQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:ReceiveMessage"
Effect: "Deny"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
NotPrincipal:
AWS:
- "111122223333"
- "*"
Negative test num. 2 - yaml file
Resources:
SampleSQSPolicy2:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:CreateQueue"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
Principal:
AWS:
- "111122223333"
Negative test num. 3 - json file
{
"Resources": {
"SampleSQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
],
"PolicyDocument": {
"Statement": [
{
"NotPrincipal": {
"AWS": [
"111122223333",
"*"
]
},
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage"
],
"Effect": "Deny",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2"
}
]
}
}
}
}
}
Negative test num. 4 - json file
{
"Resources": {
"SampleSQSPolicy2": {
"Properties": {
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
],
"PolicyDocument": {
"Statement": [
{
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"Principal": {
"AWS": [
"111122223333"
]
},
"Action": [
"SQS:SendMessage",
"SQS:CreateQueue"
],
"Effect": "Allow"
}
]
}
},
"Type": "AWS::SQS::QueuePolicy"
}
}
}