fix SQS policy to only accept intra-account sendMessage

mozilla · Jan 31, 2019 · 2869df7ddda853aabb91f8f24214ed437d06fb37 · 2869df7
1 parent 3b41f7a
commit 2869df7ddda853aabb91f8f24214ed437d06fb37
Unified Split

Showing with 3 additions and 3 deletions.

+2 −2 cloudy_mozdef/cloudformation/mozdef-cloudtrail.yml

+1 −1 cloudy_mozdef/cloudformation/mozdef-sqs.yml
diff --git a/cloudy_mozdef/cloudformation/mozdef-cloudtrail.yml b/cloudy_mozdef/cloudformation/mozdef-cloudtrail.yml
@@ -63,7 +63,7 @@ Resources:
        Statement:
        - Sid: AllowSNSToSendToSQS
          Effect: Allow
-  
-          Principal: '*'
+  
+          Principal: !Join [ '', 'arn:', 'aws:', 'iam:', !Ref AWS::AccountId, ':root' ]
          Action: sqs:SendMessage
          Resource: !GetAtt MozDefCloudTrailSQSQueue.Arn
          Condition:
@@ -94,4 +94,4 @@ Outputs:
    Value: !GetAtt MozDefCloudTrailSQSQueue.Arn
  CloudTrailSQSQueueName:
    Description: Name of the SQS Queue that will receive notifications of new CloudTrail logs in S3
-  
-    Value: !GetAtt MozDefCloudTrailSQSQueue.QueueName
+  
+    Value: !GetAtt MozDefCloudTrailSQSQueue.QueueName
diff --git a/cloudy_mozdef/cloudformation/mozdef-sqs.yml b/cloudy_mozdef/cloudformation/mozdef-sqs.yml
@@ -17,7 +17,7 @@ Resources:
        Statement:
        - Sid: AllowThisAccountSendToSQS
          Effect: Allow
-  
-          Principal: '*'
+  
+          Principal: !Join [ '', 'arn:', 'aws:', 'iam:', !Ref AWS::AccountId, ':root' ]
          Action: sqs:SendMessage
          Resource: !GetAtt MozDefSQSQueue.Arn
      Queues: