From bd23b94f8af53f110cad92f5592ce46a04706405 Mon Sep 17 00:00:00 2001
From: Taylor <28880387+tsmithv11@users.noreply.github.com>
Date: Thu, 5 Dec 2024 10:11:51 -0800
Subject: [PATCH 1/2] Update bc-aws-iam-46.adoc

---
 .../aws-iam-policies/bc-aws-iam-46.adoc       | 77 +++++--------------
 1 file changed, 19 insertions(+), 58 deletions(-)

diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-46.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-46.adoc
index 048b6fb2af..fa4db8af6d 100644
--- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-46.adoc
+++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-46.adoc
@@ -10,14 +10,13 @@
 | bfe88196-dc6b-4c34-bda7-ef4b90942544
 
 |Checkov ID 
-| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/SQSPolicy.py[CKV_AWS_72]
+| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/SQSPolicy.py[CKV_AWS_72]
 
 |Severity
 |INFO
 
 |Subtype
-|Build
-//, Run
+|Build, Run
 
 |Frameworks
 |Terraform,TerraformPlan
@@ -28,40 +27,8 @@
 
 === Description 
 
+This policy ensures that AWS SQS policies do not allow unrestricted (*) actions. Allowing all actions in a policy can expose your SQS queue to potential misuse or unauthorized access, posing a security risk. Restricting the actions to only those required for your application ensures adherence to the principle of least privilege.
 
-The Action element describes the specific action or actions that will be allowed or denied.
-Statements must include either an Action or NotAction element.
-Each AWS service has its own set of actions that describe tasks that can be performed with that service.
-Specify a value using a namespace that identifies a service, for example, iam, ec2 sqs, sns, s3, followed by the name of the action to be allowed or denied.
-The name must match an action that is supported by the service.
-We recommend you do not allow "*" (all resource) statements as part of action elements.
-This level of access could potentially grant unwanted and unregulated access to anyone given this policy document setting.
-We recommend you to write a refined policy describing the specific action allowed or required by the specific policy holder.
-
-////
-=== Fix - Runtime
-
-
-* AWS Console* 
-
-
-
-. Log in to the AWS Management Console at https://console.aws.amazon.com/.
-
-. Open the https://console.aws.amazon.com/sqs/v2/home [Amazon SQS console].
-
-. Click on the queue you want to modify.
-
-. Click on the "Access Policy" tab within the queue's details page.
-
-. Click "edit" next to the displayed "Access Policy".
-
-. Identify any Action statements permitting actions access to all resources ("*").
-
-. Narrow the scope to necessary actions, for example * sqs:SendMessage*
-
-. Click * Save*.
-////
 
 === Fix - Buildtime
 
@@ -69,34 +36,28 @@ We recommend you to write a refined policy describing the specific action allowe
 *Terraform* 
 
 
-* *Arguments:* statement
-* *Attribute*: action
+* *Arguments:* aws_sqs_queue_policy
+* *Attribute*: policy.Statement.Action
 
 
 [source,go]
 ----
 resource "aws_sqs_queue_policy" "example" {
-  queue_url = aws_sqs_queue.q.id
+  ...
 
   policy = <<POLICY
-  {
-  "Version": "2012-10-17",
-  "Id": "sqspolicy",
-  "Statement": [
-      {
-      "Sid": "First",
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": "sqs:SendMessage",
-      "Resource": "${aws_sqs_queue.q.arn}",
-      "Condition": {
-          "ArnEquals": {
-          "aws:SourceArn": "${aws_sns_topic.example.arn}"
-          }
-      }
-      }
-  ]
-  }
+    {
+      ...
+      "Statement": [
+        {
+          "Sid": "Example",
+          "Effect": "Allow",
+-          "Action"   = "*",
++          "Action": ["sqs:SendMessage"],
+          ...
+        }
+      ]
+    }
   POLICY
-  }
+}
 ----

From 3292f91d17ef6f46482d9e242177f09e2755eeb8 Mon Sep 17 00:00:00 2001
From: Taylor <28880387+tsmithv11@users.noreply.github.com>
Date: Mon, 9 Dec 2024 00:25:42 -0800
Subject: [PATCH 2/2] Bakst feedback

---
 .../aws-policies/aws-iam-policies/bc-aws-iam-46.adoc          | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-46.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-46.adoc
index fa4db8af6d..430a988654 100644
--- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-46.adoc
+++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-46.adoc
@@ -27,7 +27,7 @@
 
 === Description 
 
-This policy ensures that AWS SQS policies do not allow unrestricted (*) actions. Allowing all actions in a policy can expose your SQS queue to potential misuse or unauthorized access, posing a security risk. Restricting the actions to only those required for your application ensures adherence to the principle of least privilege.
+This policy ensures that AWS SQS policies are configured to limit permissions to specific actions, avoiding the use of unrestricted wildcards like (*), in adherence to the principle of least privilege. By restricting actions to only those necessary for your application, you mitigate the risk of unauthorized access and potential misuse of your SQS queue.
 
 
 === Fix - Buildtime
@@ -39,6 +39,8 @@ This policy ensures that AWS SQS policies do not allow unrestricted (*) actions.
 * *Arguments:* aws_sqs_queue_policy
 * *Attribute*: policy.Statement.Action
 
+In the following example, the IAM policy is configured to allow only the `sqs:SendMessage` action, restricting access to the SQS queue. This helps prevent unauthorized actions and enhances security.
+
 
 [source,go]
 ----