SQS access policies should not have global "*.*" access

Description

SQS policies should not permit all users to access SQS queues. To promote the security principle of least privilege, an SQS policy should allow only necessary principals to access the queue.

Remediation Steps

AWS Console

  • Navigate to SQS.

  • Select the SQS queue.

  • Select the Permissions tab.

  • Remove any permissions that grant the SQS queue global "*.*" access.

  • Click OK.

AWS CLI

  • To remove the global "*.*" access:

    • aws sqs remove-permission --queue-url https://sqs.us-east-1.amazonaws.com/80398EXAMPLE/MyQueue --label SendMessagesFromMyQueue

Terraform

  • If an SQS policy is defined in an aws_sqs_queue policy field, ensure the JSON document does NOT contain BOTH an invalid principal and an invalid effect:

    • Invalid principal: "*"

    • Invalid effect: "Allow"

  • If an SQS policy is defined in an aws_sqs_queue_policy policy field, ensure the JSON document does NOT contain BOTH an invalid principal and an invalid effect, as listed above

Example Configuration

resource "aws_sqs_queue" "granular_access_queue" {
  name   = "granular_access_queue"
  # other required fields here
}

resource "aws_sqs_queue_policy" "granular_access" {
  queue_url = "${aws_sqs_queue.granular_access_queue.id}"
  policy    = <<POLICY
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "SQS:*"
        ],
        "Effect": "Allow",
        "Resource": "${aws_sqs_queue.granular_access_queue.arn}",
        "Principal": {"AWS": "${data.aws_caller_identity.current.account_id}"}
      }
    ]
  }
  POLICY
}