SQS Queue Exposed
- Query id: abb06e5f-ef9a-4a99-98c6-376d396bfcdf
- Query name: SQS Queue Exposed
- Platform: Terraform
- Severity: High
- Category: Access Control
- URL: Github
Description¶
Checks if the SQS Queue is exposed
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_sqs_queue" "positive1" {
name = "examplequeue"
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "First",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage",
"Resource": "${aws_sqs_queue.q.arn}",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "${aws_sns_topic.example.arn}"
}
}
}
]
}
POLICY
}
Positive test num. 2 - tf file
module "user_queue" {
source = "terraform-aws-modules/sqs/aws"
version = "~> 2.0"
name = "user"
tags = {
Service = "user"
Environment = "dev"
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "First",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage",
"Resource": "${aws_sqs_queue.q.arn}",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "${aws_sns_topic.example.arn}"
}
}
}
]
}
POLICY
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_sqs_queue" "negative1" {
name = "examplequeue"
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "First",
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "${aws_sqs_queue.q.arn}",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "${aws_sns_topic.example.arn}"
}
}
}
]
}
POLICY
}
Negative test num. 2 - tf file
module "user_queue" {
source = "terraform-aws-modules/sqs/aws"
version = "~> 2.0"
name = "user"
tags = {
Service = "user"
Environment = "dev"
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "First",
"Effect": "Allow",
"Action": "sqs:SendMessage",
"Resource": "${aws_sqs_queue.q.arn}",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "${aws_sns_topic.example.arn}"
}
}
}
]
}
POLICY
}