Skip to main content

SQS policy documents should avoid using wildcards

  • GG_ID: GG_IAC_0065
  • Severity: HIGH
  • Complexity: MEDIUM
  • Categories: PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True

Description#

Amazon Simple Queue Service (Amazon SQS) offers a secure, durable, and available hosted queue to integrate and decouple distributed software systems and components.

SQS supports attaching permissions policies to resources. A too permissive policy could grant access to certain undesired resources or actions.

Impact#

Misconfigured permissions or direct access to storage drives can lead to data leak.

Remediation guidelines#

Replace the wildcard * permissions in the configuration file to grant only the required ones to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary.

External documentation#