Skip to content

no-wildcards-in-policy-documents

Default Severity: high

Explanation

SQS Policy actions should always be restricted to a specific set.

This ensures that the queue itself cannot be modified or deleted, and prevents possible future additions to queue actions to be implicitly allowed.

Possible Impact

SQS policies with wildcard actions allow more that is required

Suggested Resolution

Keep policy scope to the minimum that is required to be effective

Insecure Example

The following example will fail the aws-sqs-no-wildcards-in-policy-documents check.

 resource "aws_sqs_queue_policy" "bad_example" {
   queue_url = aws_sqs_queue.q.id

   policy = <<POLICY
 {
   "Statement": [
     {
       "Effect": "Allow",
       "Principal": "*",
       "Action": "*"
     }
   ]
 }
 POLICY
 }
 {
   "Statement": [
     {
       "Effect": "Allow",
       "Principal": "*",
       "Action": "*"
     }
   ]
 }
 POLICY
 }

Secure Example

The following example will pass the aws-sqs-no-wildcards-in-policy-documents check.

 resource "aws_sqs_queue_policy" "good_example" {
   queue_url = aws_sqs_queue.q.id

   policy = <<POLICY
 {
   "Statement": [
     {
       "Effect": "Allow",
       "Principal": "*",
       "Action": "sqs:SendMessage"
     }
   ]
 }
 POLICY
 }
 {
   "Statement": [
     {
       "Effect": "Allow",
       "Principal": "*",
       "Action": "sqs:SendMessage"
     }
   ]
 }
 POLICY
 }