AWS SQS queue access policy is overly permissive
Description
This policy ensures that AWS SQS policies are configured to limit permissions to specific actions, avoiding the use of unrestricted wildcards like (*), in adherence to the principle of least privilege. By restricting actions to only those necessary for your application, you mitigate the risk of unauthorized access and potential misuse of your SQS queue.
Code Example
go
resource "aws_sqs_queue_policy" "example" {
...
policy = <<POLICY
{
...
"Statement": [
{
"Sid": "Example",
"Effect": "Allow",
- "Action" = "*",
+ "Action": ["sqs:SendMessage"],
...
}
]
}
POLICY
}Remediation
Terraform
- Arguments: aws_sqs_queue_policy
- Attribute: policy.Statement.Action
In the following example, the IAM policy is configured to allow only the `sqs:SendMessage` action, restricting access to the SQS queue. This helps prevent unauthorized actions and enhances security.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0125 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_72 |