logo

Database

Terraform Public Send Message Allowed

Description

Detects when an AWS SQS queue is configured with overly permissive access that allows public (anonymous) access to send messages. This represents a security risk as unauthorized users could flood the queue with messages, potentially leading to denial of service or excessive costs.

Weakness:

325 - Excessive privileges - Wildcards

Category: Access Subversion

Detection Strategy

    Scans Terraform configuration files for AWS SQS queue and queue policy resources

    Analyzes the queue policy statements to identify if any allow public access through Principal configurations

    Reports a vulnerability when a queue policy grants SendMessage permissions to everyone (*) or unauthenticated users

Vulnerable code example

resource "aws_sqs_queue" "queue" {
  name = "vulnerable-queue"
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow",...

✅ Secure code example

resource "aws_sqs_queue" "queue" {
  name = "secure-queue"
  
  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "SecureQueuePolicy"
    Statement = [
      {...