SQS Policy With Public Access

  • Query id: 9b6a3f5b-5fd6-40ee-9bc0-ed604911212d
  • Query name: SQS Policy With Public Access
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  SampleSQSPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
      PolicyDocument:
        Statement:
          -
            Action:
              - "SQS:SendMessage"
              - "SQS:CreateQueue"
            Effect: "Allow"
            Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
            Principal:
              AWS:
                - "111122223333"
                - "*"
Positive test num. 2 - yaml file
Resources:
  SampleSQSPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
      PolicyDocument:
        Statement:
          -
            Action:
              - "SQS:SendMessage"
              - "SQS:AddPermission"
            Effect: "Allow"
            Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
            Principal:
              AWS:
                - "111122223333"
                - "arn:aws:iam::437628376:*"
Positive test num. 3 - json file
{
  "Resources": {
    "SampleSQSPolicy": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "Queues": [
          "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
        ],
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "SQS:SendMessage",
                "SQS:CreateQueue"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
              "Principal": {
                "AWS": [
                  "111122223333",
                  "*"
                ]
              }
            }
          ]
        }
      }
    }
  }
}

Positive test num. 4 - json file
{
  "Resources": {
    "SampleSQSPolicy": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "Queues": [
          "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
        ],
        "PolicyDocument": {
          "Statement": [
            {
              "Principal": {
                "AWS": [
                  "111122223333",
                  "arn:aws:iam::437628376:*"
                ]
              },
              "Action": [
                "SQS:SendMessage",
                "SQS:AddPermission"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2"
            }
          ]
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
  SampleSQSPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
      PolicyDocument:
        Statement:
          -
            Action:
              - "SQS:SendMessage"
              - "SQS:ReceiveMessage"
            Effect: "Allow"
            Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
            Principal:
              AWS:
                - "111122223333"
                - "*"
Negative test num. 2 - yaml file
Resources:
  SampleSQSPolicy2:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
      PolicyDocument:
        Statement:
          -
            Action:
              - "SQS:SendMessage"
              - "SQS:CreateQueue"
            Effect: "Allow"
            Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
            Principal:
              AWS:
                - "111122223333"
Negative test num. 3 - yaml file
Resources:
  SampleSQSPolicy3:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
      PolicyDocument:
        Statement:
          -
            Action:
              - "SQS:SendMessage"
              - "SQS:CreateQueue"
            Effect: "Deny"
            Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
            Principal:
              AWS:
                - "111122223333"
                - "*"

Negative test num. 4 - json file
{
  "Resources": {
    "SampleSQSPolicy": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "Queues": [
          "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
        ],
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "SQS:SendMessage",
                "SQS:ReceiveMessage"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
              "Principal": {
                "AWS": [
                  "111122223333",
                  "*"
                ]
              }
            }
          ]
        }
      }
    }
  }
}
Negative test num. 5 - json file
{
  "Resources": {
    "SampleSQSPolicy2": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "Queues": [
          "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
        ],
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "SQS:SendMessage",
                "SQS:CreateQueue"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
              "Principal": {
                "AWS": [
                  "111122223333"
                ]
              }
            }
          ]
        }
      }
    }
  }
}
Negative test num. 6 - json file
{
  "Resources": {
    "SampleSQSPolicy3": {
      "Properties": {
        "Queues": [
          "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
        ],
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "SQS:SendMessage",
                "SQS:CreateQueue"
              ],
              "Effect": "Deny",
              "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
              "Principal": {
                "AWS": [
                  "111122223333",
                  "*"
                ]
              }
            }
          ]
        }
      },
      "Type": "AWS::SQS::QueuePolicy"
    }
  }
}