Ensure SQS policy does not allow public access through wildcards
Description
This policy checks whether an SQS queue policy allows public access through the use of wildcards. It's essential to restrict access to SQS queues to prevent unauthorized users from reading, writing, or deleting messages. Public access can lead to data breaches, tampering, or other security issues. By ensuring that the policy does not allow public access, you can protect your SQS queues from potential security threats.
Code Example
terraform
resource "aws_sqs_queue_policy" "example" {
queue_url = aws_sqs_queue.example.id
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AllowAccess",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:root"
},
"Action" : "sqs:SendMessage",
"Resource" : aws_sqs_queue.example.arn
}
]
})
}Remediation
Ensure the SQS queue policy does not allow public access by specifying a restricted principal and removing wildcards from the Action and Principal sections.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0434 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | aws_sqs_queue_policy |
| Checkov ID | CKV_AWS_387 |