github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/sqs/no_wildcards_in_policy_documents.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/sqs/no_wildcards_in_policy_documents.go (about)

     1  package sqs
     2  
     3  import (
     4  	"strings"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  
    12  	"github.com/khulnasoft-lab/defsec/internal/rules"
    13  
    14  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    15  
    16  	"github.com/liamg/iamgo"
    17  )
    18  
    19  var CheckNoWildcardsInPolicyDocuments = rules.Register(
    20  	scan.Rule{
    21  		AVDID:      "AVD-AWS-0097",
    22  		Provider:   providers.AWSProvider,
    23  		Service:    "sqs",
    24  		ShortCode:  "no-wildcards-in-policy-documents",
    25  		Summary:    "AWS SQS policy document has wildcard action statement.",
    26  		Impact:     "SQS policies with wildcard actions allow more that is required",
    27  		Resolution: "Keep policy scope to the minimum that is required to be effective",
    28  		Explanation: `SQS Policy actions should always be restricted to a specific set.
    29  
    30  This ensures that the queue itself cannot be modified or deleted, and prevents possible future additions to queue actions to be implicitly allowed.`,
    31  		Links: []string{
    32  			"https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html",
    33  		},
    34  		Terraform: &scan.EngineMetadata{
    35  			GoodExamples:        terraformNoWildcardsInPolicyDocumentsGoodExamples,
    36  			BadExamples:         terraformNoWildcardsInPolicyDocumentsBadExamples,
    37  			Links:               terraformNoWildcardsInPolicyDocumentsLinks,
    38  			RemediationMarkdown: terraformNoWildcardsInPolicyDocumentsRemediationMarkdown,
    39  		},
    40  		CloudFormation: &scan.EngineMetadata{
    41  			GoodExamples:        cloudFormationNoWildcardsInPolicyDocumentsGoodExamples,
    42  			BadExamples:         cloudFormationNoWildcardsInPolicyDocumentsBadExamples,
    43  			Links:               cloudFormationNoWildcardsInPolicyDocumentsLinks,
    44  			RemediationMarkdown: cloudFormationNoWildcardsInPolicyDocumentsRemediationMarkdown,
    45  		},
    46  		Severity: severity.High,
    47  	},
    48  	func(s *state.State) (results scan.Results) {
    49  		for _, queue := range s.AWS.SQS.Queues {
    50  			for _, policyDoc := range queue.Policies {
    51  				var fail bool
    52  				policy := policyDoc.Document.Parsed
    53  				statements, _ := policy.Statements()
    54  				for _, statement := range statements {
    55  					effect, _ := statement.Effect()
    56  					if effect != iamgo.EffectAllow {
    57  						continue
    58  					}
    59  					actions, r := statement.Actions()
    60  					for _, action := range actions {
    61  						action = strings.ToLower(action)
    62  						if action == "*" || action == "sqs:*" {
    63  							fail = true
    64  							results.Add(
    65  								"Queue policy does not restrict actions to a known set.",
    66  								policyDoc.Document.MetadataFromIamGo(statement.Range(), r),
    67  							)
    68  							break
    69  						}
    70  					}
    71  				}
    72  				if !fail {
    73  					results.AddPassed(&queue)
    74  				}
    75  			}
    76  		}
    77  		return
    78  	},
    79  )