SQS policy documents should avoid using wildcards

GG_ID: GG_IAC_0065
Severity: HIGH
Complexity: MEDIUM
Categories: PERMISSION
Providers: AWS
Potential data exposure: True
Visible in logs: False
User interaction required: False
Privileges required: True

Description#

Amazon Simple Queue Service (Amazon SQS) offers a secure, durable, and available hosted queue to integrate and decouple distributed software systems and components.

SQS supports attaching permissions policies to resources. A too permissive policy could grant access to certain undesired resources or actions.

Impact#

Misconfigured permissions or direct access to storage drives can lead to data leak.

Remediation guidelines#

Replace the wildcard * permissions in the configuration file to grant only the required ones to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary.

External documentation#

SQS security best practices