BOM - AWS SQS

  • Query id: baecd2da-492a-4d59-b9dc-29540a1398e0
  • Query name: BOM - AWS SQS
  • Platform: Terraform
  • Severity: Trace
  • Category: Bill Of Materials
  • CWE: Ongoing
  • URL: Github

Description

A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_sqs_queue" "positive1" {
  name                      = "terraform-example-queue"
  delay_seconds             = 90
  max_message_size          = 2048
  message_retention_seconds = 86400
  receive_wait_time_seconds = 10
  redrive_policy = jsonencode({
    deadLetterTargetArn = aws_sqs_queue.terraform_queue_deadletter.arn
    maxReceiveCount     = 4
  })

  tags = {
    Environment = "production"
  }
}


resource "aws_sqs_queue_policy" "positive1" {
  queue_url = aws_sqs_queue.positive1.id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "sqspolicy",
  "Statement": [
    {
      "Sid": "First",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:SendMessage",
      "Resource": "aws_sqs_queue.positive1.arn"
    }
  ]
}
POLICY
}
Positive test num. 2 - tf file
resource "aws_sqs_queue" "positive2" {
  name                      = "terraform-example-queue"
  delay_seconds             = 90
  max_message_size          = 2048
  message_retention_seconds = 86400
  receive_wait_time_seconds = 10
  redrive_policy = jsonencode({
    deadLetterTargetArn = aws_sqs_queue.terraform_queue_deadletter.arn
    maxReceiveCount     = 4
  })

  tags = {
    Environment = "production"
  }
}


resource "aws_sqs_queue_policy" "positive2" {
  queue_url = aws_sqs_queue.positive2.id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "sqspolicy",
  "Statement": [
    {
      "Sid": "First",
      "Effect": "Allow",
      "Principal" : { 
        "AWS": [ 
          "arn:aws:iam::123456789012:root",
          "arn:aws:iam::555555555555:root" 
          ]
      },
      "Action": "sqs:SendMessage",
      "Resource": "aws_sqs_queue.positive2.arn"
    }
  ]
}
POLICY
}
Positive test num. 3 - tf file
resource "aws_sqs_queue" "positive3" {
  name                      = "terraform-example-queue"
  delay_seconds             = 90
  max_message_size          = 2048
  message_retention_seconds = 86400
  receive_wait_time_seconds = 10
  redrive_policy = jsonencode({
    deadLetterTargetArn = aws_sqs_queue.terraform_queue_deadletter.arn
    maxReceiveCount     = 4
  })

  tags = {
    Environment = "production"
  }

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "sqspolicy",
  "Statement": [
    {
      "Sid": "First",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:SendMessage",
      "Resource": "aws_sqs_queue.positive3.arn"
    }
  ]
}
POLICY
}

Positive test num. 4 - tf file
resource "aws_sqs_queue" "positive4" {
  name                      = "terraform-example-queue"
  delay_seconds             = 90
  max_message_size          = 2048
  message_retention_seconds = 86400
  receive_wait_time_seconds = 10
  redrive_policy = jsonencode({
    deadLetterTargetArn = aws_sqs_queue.terraform_queue_deadletter.arn
    maxReceiveCount     = 4
  })

  tags = {
    Environment = "production"
  }

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "sqspolicy",
  "Statement": [
    {
      "Sid": "First",
      "Effect": "Allow",
      "Principal" : { 
        "AWS": [ 
          "arn:aws:iam::123456789012:root",
          "arn:aws:iam::555555555555:root" 
          ]
      },
      "Action": "sqs:SendMessage",
      "Resource": "aws_sqs_queue.positive4.arn"
    }
  ]
}
POLICY
}
Positive test num. 5 - tf file
resource "aws_sqs_queue" "positive5" {
  name                      = "terraform-example-queue"
  delay_seconds             = 90
  max_message_size          = 2048
  message_retention_seconds = 86400
  receive_wait_time_seconds = 10
  redrive_policy = jsonencode({
    deadLetterTargetArn = aws_sqs_queue.terraform_queue_deadletter.arn
    maxReceiveCount     = 4
  })

  tags = {
    Environment = "production"
  }

  sqs_managed_sse_enabled = true
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
module "user_queue" {
  source  = "terraform-aws-modules/sqs/aws"
  version = "~> 2.0"

  name = "user"

  tags = {
    Service     = "user"
    Environment = "dev"
  }
}