Merge pull request #1018 from tsmithv11/patch-27

Update bc-aws-iam-46.adoc
hlxsites · Dec 9, 2024 · 4f7a17b · 4f7a17b
2 parents d675a56 + 3292f91
commit 4f7a17b
Showing 1 changed file with 21 additions and 58 deletions.
diff --git a/...prise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-46.adoc b/...prise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-46.adoc
@@ -10,14 +10,13 @@
 | bfe88196-dc6b-4c34-bda7-ef4b90942544
 
 |Checkov ID 
-| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/SQSPolicy.py[CKV_AWS_72]
+| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/SQSPolicy.py[CKV_AWS_72]
 
 |Severity
 |INFO
 
 |Subtype
-|Build
-//, Run
+|Build, Run
 
 |Frameworks
 |Terraform,TerraformPlan
@@ -28,75 +27,39 @@
 
 === Description 
 
+This policy ensures that AWS SQS policies are configured to limit permissions to specific actions, avoiding the use of unrestricted wildcards like (*), in adherence to the principle of least privilege. By restricting actions to only those necessary for your application, you mitigate the risk of unauthorized access and potential misuse of your SQS queue.
 
-The Action element describes the specific action or actions that will be allowed or denied.
-Statements must include either an Action or NotAction element.
-Each AWS service has its own set of actions that describe tasks that can be performed with that service.
-Specify a value using a namespace that identifies a service, for example, iam, ec2 sqs, sns, s3, followed by the name of the action to be allowed or denied.
-The name must match an action that is supported by the service.
-We recommend you do not allow "*" (all resource) statements as part of action elements.
-This level of access could potentially grant unwanted and unregulated access to anyone given this policy document setting.
-We recommend you to write a refined policy describing the specific action allowed or required by the specific policy holder.
-
-////
-=== Fix - Runtime
-
-
-* AWS Console* 
-
-
-
-. Log in to the AWS Management Console at https://console.aws.amazon.com/.
-
-. Open the https://console.aws.amazon.com/sqs/v2/home [Amazon SQS console].
-
-. Click on the queue you want to modify.
-
-. Click on the "Access Policy" tab within the queue's details page.
-
-. Click "edit" next to the displayed "Access Policy".
-
-. Identify any Action statements permitting actions access to all resources ("*").
-
-. Narrow the scope to necessary actions, for example * sqs:SendMessage*
-
-. Click * Save*.
-////
 
 === Fix - Buildtime
 
 
 *Terraform* 
 
 
-* *Arguments:* statement
-* *Attribute*: action
+* *Arguments:* aws_sqs_queue_policy
+* *Attribute*: policy.Statement.Action
+
+In the following example, the IAM policy is configured to allow only the `sqs:SendMessage` action, restricting access to the SQS queue. This helps prevent unauthorized actions and enhances security.
 
 
 [source,go]
 ----
 resource "aws_sqs_queue_policy" "example" {
-  queue_url = aws_sqs_queue.q.id
+  ...
 
   policy = <<POLICY
-  {
-  "Version": "2012-10-17",
-  "Id": "sqspolicy",
-  "Statement": [
-      {
-      "Sid": "First",
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": "sqs:SendMessage",
-      "Resource": "${aws_sqs_queue.q.arn}",
-      "Condition": {
-          "ArnEquals": {
-          "aws:SourceArn": "${aws_sns_topic.example.arn}"
-          }
-      }
-      }
-  ]
-  }
+    {
+      ...
+      "Statement": [
+        {
+          "Sid": "Example",
+          "Effect": "Allow",
+-          "Action"   = "*",
++          "Action": ["sqs:SendMessage"],
+          ...
+        }
+      ]
+    }
   POLICY
-  }
+}
 ----