Pattern: Use of * for AWS SQS policy document
Issue: -
SQS Policy actions should always be restricted to a specific set.
This ensures that the queue itself cannot be modified or deleted, and prevents possible future additions to queue actions to be implicitly allowed.
Resolution: Keep policy scope to the minimum that is required to be effective.
Example of incorrect code:
resource "aws_sqs_queue_policy" "bad_example" {
queue_url = aws_sqs_queue.q.id
policy = <<POLICY
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*"
}
]
}
POLICY
}Example of correct code:
resource "aws_sqs_queue_policy" "good_example" {
queue_url = aws_sqs_queue.q.id
policy = <<POLICY
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage"
}
]
}
POLICY
}