Permalink
Browse files

fix SQS policy to only accept intra-account sendMessage

  • Loading branch information...
andrewkrug committed Jan 31, 2019
1 parent 3b41f7a commit 2869df7ddda853aabb91f8f24214ed437d06fb37
@@ -63,7 +63,7 @@ Resources:
Statement:
- Sid: AllowSNSToSendToSQS
Effect: Allow
Principal: '*'
Principal: !Join [ '', 'arn:', 'aws:', 'iam:', !Ref AWS::AccountId, ':root' ]
Action: sqs:SendMessage
Resource: !GetAtt MozDefCloudTrailSQSQueue.Arn
Condition:
@@ -94,4 +94,4 @@ Outputs:
Value: !GetAtt MozDefCloudTrailSQSQueue.Arn
CloudTrailSQSQueueName:
Description: Name of the SQS Queue that will receive notifications of new CloudTrail logs in S3
Value: !GetAtt MozDefCloudTrailSQSQueue.QueueName
Value: !GetAtt MozDefCloudTrailSQSQueue.QueueName
@@ -17,7 +17,7 @@ Resources:
Statement:
- Sid: AllowThisAccountSendToSQS
Effect: Allow
Principal: '*'
Principal: !Join [ '', 'arn:', 'aws:', 'iam:', !Ref AWS::AccountId, ':root' ]
Action: sqs:SendMessage
Resource: !GetAtt MozDefSQSQueue.Arn
Queues:

0 comments on commit 2869df7

Please sign in to comment.