SQS Policy With Public Access
- Query id: d994585f-defb-4b51-b6d2-c70f020ceb10
- Query name: SQS Policy With Public Access
- Platform: Ansible
- Severity: Medium
- Category: Access Control
- CWE: Ongoing
- URL: Github
Description¶
Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: First SQS queue with policy
community.aws.sqs_queue:
name: my-queue1
region: ap-southeast-1
default_visibility_timeout: 120
message_retention_period: 86400
maximum_message_size: 1024
delivery_delay: 30
receive_message_wait_time: 20
policy:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "sqs:*"
Resource: "*"
Principal: "*"
make_default: false
state: present
- name: Second SQS queue with policy
community.aws.sqs_queue:
name: my-queue2
region: ap-southeast-3
default_visibility_timeout: 120
message_retention_period: 86400
maximum_message_size: 1024
delivery_delay: 30
receive_message_wait_time: 20
policy:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "*"
Resource: "*"
Principal:
AWS: "*"
make_default: false
state: present
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: First SQS queue with policy
community.aws.sqs_queue:
name: my-queue1
region: ap-southeast-1
default_visibility_timeout: 120
message_retention_period: 86400
maximum_message_size: 1024
delivery_delay: 30
receive_message_wait_time: 20
policy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: sqs:*
Resource: '*'
Principal: Principal
make_default: false
state: present