no-wildcards-in-policy-documents
Explanation
SQS Policy actions should always be restricted to a specific set.
This ensures that the queue itself cannot be modified or deleted, and prevents possible future additions to queue actions to be implicitly allowed.
Possible Impact
SQS policies with wildcard actions allow more that is required
Suggested Resolution
Keep policy scope to the minimum that is required to be effective
Insecure Example
The following example will fail the aws-sqs-no-wildcards-in-policy-documents check.
resource "aws_sqs_queue_policy" "bad_example" {
queue_url = aws_sqs_queue.q.id
policy = <<POLICY
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*"
}
]
}
POLICY
}
Secure Example
The following example will pass the aws-sqs-no-wildcards-in-policy-documents check.
resource "aws_sqs_queue_policy" "good_example" {
queue_url = aws_sqs_queue.q.id
policy = <<POLICY
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage"
}
]
}
POLICY
}