Ensure SQS policy documents do not allow * (asterisk) as a statement's action

Error: SQS policy documents allow * (asterisk) as a statement's action

Bridgecrew Policy ID: BC_AWS_IAM_46
Checkov Check ID: CKV_AWS_72
Severity: HIGH

SQS policy documents allow * (asterisk) as a statement's action

Description

The Action element describes the specific action or actions that will be allowed or denied. Statements must include either an Action or NotAction element. Each AWS service has its own set of actions that describe tasks that can be performed with that service. Specify a value using a namespace that identifies a service, for example, iam, ec2 sqs, sns, s3, followed by the name of the action to be allowed or denied. The name must match an action that is supported by the service.

We recommend you do not allow "*" (all resource) statements as part of action elements. This level of access could potentially grant unwanted and unregulated access to anyone given this policy document setting. We recommend you to write a refined policy describing the specific action allowed or required by the specific policy holder.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon SQS console.
  3. Click on the queue you want to modify.
  4. Click on the "Access Policy" tab within the queue's details page.
  5. Click "edit" next to the displayed "Access Policy".
  6. Identify any Action statements permitting actions access to all resources ("*").
  7. Narrow the scope to necessary actions, for example sqs:SendMessage
  8. Click Save.

Fix - Buildtime

Terraform

  • Argument: statement
  • Attribute: action
resource "aws_sqs_queue_policy" "example" {
  queue_url = aws_sqs_queue.q.id

  policy = <<POLICY
  {
  "Version": "2012-10-17",
  "Id": "sqspolicy",
  "Statement": [
      {
      "Sid": "First",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:SendMessage",
      "Resource": "${aws_sqs_queue.q.arn}",
      "Condition": {
          "ArnEquals": {
          "aws:SourceArn": "${aws_sns_topic.example.arn}"
          }
      }
      }
  ]
  }
  POLICY
  }