SQS Policy With Public Access
- Query id: 9b6a3f5b-5fd6-40ee-9bc0-ed604911212d
- Query name: SQS Policy With Public Access
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
SampleSQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:CreateQueue"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
Principal:
AWS:
- "111122223333"
- "*"
Positive test num. 2 - yaml file
Resources:
SampleSQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:AddPermission"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
Principal:
AWS:
- "111122223333"
- "arn:aws:iam::437628376:*"
Positive test num. 3 - json file
{
"Resources": {
"SampleSQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
],
"PolicyDocument": {
"Statement": [
{
"Action": [
"SQS:SendMessage",
"SQS:CreateQueue"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"Principal": {
"AWS": [
"111122223333",
"*"
]
}
}
]
}
}
}
}
}
Positive test num. 4 - json file
{
"Resources": {
"SampleSQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
],
"PolicyDocument": {
"Statement": [
{
"Principal": {
"AWS": [
"111122223333",
"arn:aws:iam::437628376:*"
]
},
"Action": [
"SQS:SendMessage",
"SQS:AddPermission"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2"
}
]
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
SampleSQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:ReceiveMessage"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
Principal:
AWS:
- "111122223333"
- "*"
Negative test num. 2 - yaml file
Resources:
SampleSQSPolicy2:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:CreateQueue"
Effect: "Allow"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
Principal:
AWS:
- "111122223333"
Negative test num. 3 - yaml file
Resources:
SampleSQSPolicy3:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- "https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
PolicyDocument:
Statement:
-
Action:
- "SQS:SendMessage"
- "SQS:CreateQueue"
Effect: "Deny"
Resource: "arn:aws:sqs:us-east-2:444455556666:queue2"
Principal:
AWS:
- "111122223333"
- "*"
Negative test num. 4 - json file
{
"Resources": {
"SampleSQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
],
"PolicyDocument": {
"Statement": [
{
"Action": [
"SQS:SendMessage",
"SQS:ReceiveMessage"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"Principal": {
"AWS": [
"111122223333",
"*"
]
}
}
]
}
}
}
}
}
Negative test num. 5 - json file
{
"Resources": {
"SampleSQSPolicy2": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
],
"PolicyDocument": {
"Statement": [
{
"Action": [
"SQS:SendMessage",
"SQS:CreateQueue"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"Principal": {
"AWS": [
"111122223333"
]
}
}
]
}
}
}
}
}
Negative test num. 6 - json file
{
"Resources": {
"SampleSQSPolicy3": {
"Properties": {
"Queues": [
"https://sqs:us-east-2.amazonaws.com/444455556666/queue2"
],
"PolicyDocument": {
"Statement": [
{
"Action": [
"SQS:SendMessage",
"SQS:CreateQueue"
],
"Effect": "Deny",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"Principal": {
"AWS": [
"111122223333",
"*"
]
}
}
]
}
},
"Type": "AWS::SQS::QueuePolicy"
}
}
}