activity_dashboard_logs_by_accountactivity_dashboard_logs_by_actoractivity_dashboard_logs_by_eventactivity_dashboard_logs_by_regionactivity_dashboard_logs_by_serviceactivity_dashboard_logs_by_source_ipactivity_dashboard_total_logscloudfront_distribution_default_certificate_disabledcloudfront_distribution_logging_disabledcloudtrail_trail_global_service_logging_disabledcloudtrail_trail_kms_key_updatedcloudtrail_trail_logging_stoppedcloudtrail_trail_s3_logging_bucket_updatedcloudwatch_log_group_created_with_encryption_disabledcodebuild_project_environment_variable_updatedcodebuild_project_service_role_updatedcodebuild_project_source_repository_updatedcodebuild_project_visibility_set_publicconfig_configuration_recorder_stoppedconfig_rule_deletedebs_encryption_by_default_disabledebs_snapshot_created_with_encryption_disabledebs_snapshot_shared_publiclyebs_snapshot_unlockedebs_volume_detachedec2_ami_shared_publiclyec2_instance_launched_with_public_ipec2_key_pair_deletedec2_reserved_instance_purchasedefs_file_system_backup_policy_disabledeventbridge_rule_deletedeventbridge_rule_disabledguardduty_detector_deletediam_access_key_creatediam_access_key_deletediam_group_administrator_policy_attachediam_group_inline_policy_updatediam_identity_created_without_cloudformationiam_role_administrator_policy_attachediam_role_inline_policy_updatediam_role_managed_policy_attachediam_root_user_console_loginiam_root_user_email_address_updatediam_user_administrator_policy_attachediam_user_creatediam_user_inline_policy_updatediam_user_login_profile_creatediam_user_login_profile_updatediam_user_managed_policy_attachediam_user_mfa_device_deactivatediam_user_password_changedkms_key_deletion_scheduledlambda_function_created_with_function_code_encryption_at_rest_disabledlambda_function_granted_public_accessrds_db_cluster_deletion_protection_disabledrds_db_instance_assigned_public_ip_addressrds_db_instance_deletion_protection_disabledrds_db_instance_iam_authentication_disabledrds_db_instance_master_password_updatedrds_db_instance_restored_from_public_snapshotroot_user_activity_report_aws_accounts_inputroot_user_activity_report_tableroot_user_activity_report_total_logsroute_53_domain_transfer_lock_disabledroute_53_domain_transferredroute_53_hosted_zone_associated_with_vpcs3_bucket_block_public_access_disableds3_bucket_deleteds3_bucket_policy_granted_public_accesss3_bucket_policy_updateds3_large_file_downloadedses_identity_feedback_forwarding_disabledsns_topic_granted_public_accesssqs_queue_created_with_encryption_at_rest_disabledsqs_queue_dlq_disabledsqs_queue_granted_public_accessssm_document_shared_publiclyvpc_classic_link_enabledvpc_createdvpc_deletedvpc_flow_log_deletedvpc_internet_gateway_added_to_public_route_tablevpc_internet_gateway_detachedvpc_network_acl_entry_updatedvpc_network_acl_entry_updated_with_allow_public_accessvpc_peering_connection_deletedvpc_route_table_association_replacedvpc_route_table_deletedvpc_route_table_route_deletedvpc_route_table_route_disassociatedvpc_security_group_deletedvpc_security_group_ingress_egress_rule_authorized_to_allow_allvpc_security_group_ingress_egress_rule_updatedwaf_web_acl_disassociated_from_cloudfront_distributionwaf_web_acl_disassociated_from_elb_application_load_balancerwaf_web_acl_logging_disabled
Query: sqs_queue_granted_public_access
Usage
powerpipe query aws_cloudtrail_log_detections.query.sqs_queue_granted_public_accessSQL
with policy as ( select *, unnest( from_json( ( request_parameters -> 'attributes' ->> 'Policy' -> 'Statement' ), '["JSON"]' ) ) as statement_item, from aws_cloudtrail_log where event_source = 'sqs.amazonaws.com' and event_name = 'SetQueueAttributes' and (request_parameters -> 'attributes' ->> 'Policy') != '')select tp_timestamp as timestamp, string_split(event_source, '.') [ 1 ] || ':' || event_name as operation, coalesce( response_elements ->> 'queueUrl', request_parameters ->> 'queueUrl' ) as resource, user_identity.arn as actor, tp_source_ip as source_ip, tp_index as account_id, aws_region as region, tp_id as source_id, *from policywhere (statement_item ->> 'Effect') = 'Allow' and ( ( json_contains((statement_item -> 'Principal'), '{"AWS":"*"}') ) or ((statement_item ->> 'Principal') = '*') ) and error_code is nullorder by event_time desc;Detections
The query is being used by the following detections: