SQS Queue Policy Allows NotAction
- Query id: 4fbfee74-8186-40d5-a24e-4baa76a855de
- Query name: SQS Queue Policy Allows NotAction
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
SampleSQSPolicy2:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
NotAction:
- "SQS:SendMessage"
- "SQS:ReceiveMessage"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
Principal:
AWS:
- "111122223333"
Positive test num. 2 - json file
{
"Resources": {
"SampleSQSPolicy2": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"NotAction": [
"SQS:SendMessage",
"SQS:ReceiveMessage"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"Principal": {
"AWS": [
"111122223333"
]
}
}
]
},
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
SampleSQSPolicy1:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:ReceiveMessage"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
Principal:
AWS:
- "111122223333"
Negative test num. 2 - json file
{
"Resources": {
"SampleSQSPolicy1": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
],
"PolicyDocument": {
"Statement": [
{
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"Principal": {
"AWS": [
"111122223333"
]
}
}
]
}
}
}
}
}