SQS policy documents detect the use of asterisk as an action for statements. Make sure SQS policy documents do not permits the use of asterisk as an action for statements.
1resource "aws_sqs_queue_policy" "allow_email_notification_events" {
2 count = local.emailing_enabled
3
4 queue_url = aws_sqs_queue.email_events[0].id
5
6 # Noncompliant: SQS policy have ALL (*) actions.
7 policy = <<-EOP
8 {
9 "Version": "2012-10-17",
10 "Id": "${aws_sqs_queue.email_events[0].arn}/SQSDefaultPolicy",
11 "Statement": [
12 {
13 "Effect": "Allow",
14 "Principal": {
15 "AWS": "*"
16 },
17 "Action": "*",
18 "Resource": "${aws_sqs_queue.email_events[0].arn}",
19 "Condition": {
20 "ArnEquals": {
21 "aws:SourceArn": "${aws_sns_topic.email_notifications[0].arn}"
22 }
23 }
24 }
25 ]
26 }
27 EOP
28}
1resource "aws_sqs_queue_policy" "allow_email_notification_events" {
2 count = local.emailing_enabled
3
4 queue_url = aws_sqs_queue.email_events[0].id
5
6 # Compliant: SQS policy have specific action.
7 policy = <<-EOP
8 {
9 "Version": "2012-10-17",
10 "Id": "${aws_sqs_queue.email_events[0].arn}/SQSDefaultPolicy",
11 "Statement": [
12 {
13 "Effect": "Allow",
14 "Principal": {
15 "AWS": "*"
16 },
17 "Action": "SQS:SendMessage",
18 "Resource": "${aws_sqs_queue.email_events[0].arn}",
19 "Condition": {
20 "ArnEquals": {
21 "aws:SourceArn": "${aws_sns_topic.email_notifications[0].arn}"
22 }
23 }
24 }
25 ]
26 }
27 EOP
28}