SQS Policy has dangerous access for all principals
ID |
aws_sqs_policy_dangerous_access |
Severity |
high |
Vendor |
AWS |
Resource |
IAM |
Tags |
reachable |
Description
SQS Policy has dangerous access for all principals, instead of granting permissions gradually as necessary. You have the configuration Effect=Allow with a dangerous Action. This action are:
-
AddPermission
-
ChangeMessageVisibility
-
CreateQueue
-
DeleteMessage
-
DeleteQueue
-
PurgeQueue
-
RemovePermission
-
SetQueueAttributes
-
TagQueue
-
UntagQueue
To fix it, you must configure the actions that allow access in the Action property for specific Principals.
Learn more about this topic at AWS SQS.
Examples
---
- name: Example playbook
hosts: localhost
tasks:
- name: Example
sqs_queue:
name: "S3Notifications"
default_visibility_timeout: 120
message_retention_period: 86400
maximum_message_size: 1024
delivery_delay: 30
receive_message_wait_time: 20
policy:
Version: 2012-10-17
Id: s3-queue-policy
Statement:
- Sid: allowNotifications
Effect: Allow
Principal: "*"
Action:
- SQS:AddPermission
Resource: "arn:aws:sqs:*:*:S3Notifications"
Condition:
ArnLike:
aws:SourceArn: "arn:aws:s3:*:*:SomeBucket"yml
Mitigation / Fix
---
- name: Example playbook
hosts: localhost
tasks:
- name: Example
sqs_queue:
name: "S3Notifications"
default_visibility_timeout: 120
message_retention_period: 86400
maximum_message_size: 1024
delivery_delay: 30
receive_message_wait_time: 20
policy:
Version: 2012-10-17
Id: s3-queue-policy
Statement:
- Sid: allowNotifications
Effect: Allow
Principal:
Service: s3.amazonaws.com
Action:
- SQS:SendMessage
Resource: "arn:aws:sqs:*:*:S3Notifications"
Condition:
ArnLike:
aws:SourceArn: "arn:aws:s3:*:*:SomeBucket"yml