Ensure SQS queue policy is not public by only allowing specific services or principals to access it

Error: SQS queue policy is public and access is not restricted to specific services or principals

Bridgecrew Policy ID: BC_AWS_GENERAL_91
Checkov Check ID: CKV_AWS_168
Severity: MEDIUM

SQS queue policy is public and access is not restricted to specific services or principals

Description

It is generally a best practice to restrict access to Amazon Simple Queue Service (SQS) queues to only the specific services or principals that require access. This can help to reduce the risk of unauthorized access to the data stored in your queues and protect against potential data breaches.

Fix - Buildtime

Terraform

  • Resource: aws_sqs_queue_policy
  • Argument: Statement
resource "aws_sqs_queue_policy" "test" {
  ... 
  policy = <<POLICY
{
    "Version":"2012-10-17",
    "Statement":[
       {
          "Principal": "*",
+         "Effect": "Deny",
          "Action": "sqs:SendMessage",
          "Resource": "${aws_sqs_queue_policy.q.arn}"
       }
    ]
}
POLICY
}