SQS Policy Allows All Actions

• Query id: ed9b3beb-92cf-44d9-a9d2-171eeba569d4
• Query name: SQS Policy Allows All Actions
• Platform: Ansible
• Severity: High
• Category: Access Control
• URL: Github

Description

SQS policy allows ALL (*) actions
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

- name: Second SQS queue with policy
  community.aws.sqs_queue:
    name: my-queue2
    region: ap-southeast-3
    default_visibility_timeout: 120
    message_retention_period: 86400
    maximum_message_size: 1024
    delivery_delay: 30
    receive_message_wait_time: 20
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "aws:action"
        Resource: "*"
      - Effect: "Allow"
        Action: "*"
        Resource: "*"
    make_default: false
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: Create SQS queue with redrive policy
  community.aws.sqs_queue:
    name: my-queue
    region: ap-southeast-2
    default_visibility_timeout: 120
    message_retention_period: 86400
    maximum_message_size: 1024
    delivery_delay: 30
    receive_message_wait_time: 20
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: logs:CreateLogGroup
        Resource: '*'
    make_default: false
    state: present