cloudsploit icon indicating copy to clipboard operation
cloudsploit copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

AWS – "SQS Cross Account Access" Fails on Multi-Valued Conditions

Open chrisoverzero opened this issue 3 years ago • 2 comments

Given a queue policy like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:{PARTITION}:sqs:{REGION}:{ACCOUNT}:{QUEUENAME}",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": [
            "arn:{PARTITION}:events:{REGION}:{ACCOUNT}:rule/{BUS}/{RULENAME1}",
            "arn:{PARTITION}:events:{REGION}:{ACCOUNT}:rule/{BUS}/{RULENAME2}"
          ]
        }
      }
    }
  ]
}

…where PARTITION, REGION, and ACCOUNT are the same all-around, Aqua reports "The SQS queue policy allows cross-account access to the action(s): sqs:SendMessage". For otherwise-identical policies which have single-valued conditions, nothing is reported. Reporting nothing appears to be correct.

chrisoverzero avatar Oct 15 '21 14:10 chrisoverzero

@chrisoverzero we added a fix related to similar issue. Are you still facing the same error?

AkhtarAmir avatar Oct 25 '21 10:10 AkhtarAmir

@AkhtarAmir Yes, I am still facing it. If you mean #917, that’s about when the problem began, even.

chrisoverzero avatar Oct 26 '21 02:10 chrisoverzero