Control: SQS queue policies should prohibit public access

Description

Manage access to resources in the AWS Cloud by ensuring AWS SQS queues cannot be publicly accessed.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.sqs_queue_policy_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.sqs_queue_policy_prohibit_public_access --share

SQL

This control uses a named query:

with wildcard_action_policies as (
  select
    queue_arn,
    count(*) as statements_num
  from
    aws_sqs_queue,
    jsonb_array_elements(policy_std -> 'Statement') as s
  where
    s ->> 'Effect' = 'Allow'
    and (
      ( s -> 'Principal' -> 'AWS') = '["*"]'
      or s ->> 'Principal' = '*'
    )
  group by
    queue_arn
)
select
  q.queue_arn as resource,
  case
    when p.queue_arn is null then 'ok'
    else 'alarm'
  end as status,
  case
    when p.queue_arn is null then title || ' does not allow public access.'
    else title || ' contains ' || coalesce(p.statements_num,0) ||
    ' statements that allows public access.'
  end as reason

  
  , q.region, q.account_id
from
  aws_sqs_queue as q
  left join wildcard_action_policies as p on q.queue_arn = p.queue_arn;

Control: SQS queue policies should prohibit public access

Description

Usage

SQL

Tags