Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 3 SQS queue access policies should not allow public access

Description

This controls checks whether an Amazon SQS access policy allows public access to an SQS queue. The control fails if an SQS access policy allows public access to the queue.

An Amazon SQS access policy can allow public access to an SQS queue, which might allow an anonymous user or any authenticated AWS IAM identity to access the queue. SQS access policies typically provide this access by specifying the wildcard character (*) in the Principal element of the policy, not using proper conditions to restrict access to the queue, or both. If an SQS access policy allows public access, third parties might be able to perform tasks such as receive messages from the queue, send messages to the queue, or modify the access policy for the queue. This could result in events such as data exfiltration, a denial of service, or injection of messages into the queue by a threat actor.

Remediation

For information about configuring the SQS access policy for an SQS queue, see Using custom policies with the Amazon SQS Access Policy Language in the Amazon Simple Queue Service Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_sqs_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_sqs_3 --share

SQL

This control uses a named query:

with wildcard_action_policies as (
  select
    queue_arn,
    count(*) as statements_num
  from
    aws_sqs_queue,
    jsonb_array_elements(policy_std -> 'Statement') as s
  where
    s ->> 'Effect' = 'Allow'
    and (
      ( s -> 'Principal' -> 'AWS') = '["*"]'
      or s ->> 'Principal' = '*'
    )
  group by
    queue_arn
)
select
  q.queue_arn as resource,
  case
    when p.queue_arn is null then 'ok'
    else 'alarm'
  end as status,
  case
    when p.queue_arn is null then title || ' does not allow public access.'
    else title || ' contains ' || coalesce(p.statements_num,0) ||
    ' statements that allows public access.'
  end as reason


  
  , q.region, q.account_id
from
  aws_sqs_queue as q
  left join wildcard_action_policies as p on q.queue_arn = p.queue_arn;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resource_not_publicly_accessible
foundational_security_item_id = sqs_3
plugin = aws
service = AWS/SQS