SQS access policies should not have global "*.*"
access¶
Description¶
SQS policies should not permit all users to access SQS queues. To promote the security principle of least privilege, an SQS policy should allow only necessary principals to access the queue.
Remediation Steps¶
AWS Console¶
Navigate to SQS.
Select the SQS queue.
Select the Permissions tab.
Remove any permissions that grant the SQS queue global
"*.*"
access.Click OK.
AWS CLI¶
To remove the global
"*.*"
access:aws sqs remove-permission --queue-url https://sqs.us-east-1.amazonaws.com/80398EXAMPLE/MyQueue --label SendMessagesFromMyQueue
Terraform¶
If an SQS policy is defined in an aws_sqs_queue
policy
field, ensure the JSON document does NOT contain BOTH an invalid principal and an invalid effect:Invalid principal:
"*"
Invalid effect:
"Allow"
If an SQS policy is defined in an aws_sqs_queue_policy
policy
field, ensure the JSON document does NOT contain BOTH an invalid principal and an invalid effect, as listed above
Example Configuration¶
resource "aws_sqs_queue" "granular_access_queue" {
name = "granular_access_queue"
# other required fields here
}
resource "aws_sqs_queue_policy" "granular_access" {
queue_url = "${aws_sqs_queue.granular_access_queue.id}"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"SQS:*"
],
"Effect": "Allow",
"Resource": "${aws_sqs_queue.granular_access_queue.arn}",
"Principal": {"AWS": "${data.aws_caller_identity.current.account_id}"}
}
]
}
POLICY
}