serverless-application-model icon indicating copy to clipboard operation
serverless-application-model copied to clipboard
verified publisher icon aws

SAM Policy templates have outdated policies and they fail with cfn-lint

Open axthosarouris opened this issue 9 months ago • 2 comments

Description

SAM Policy templates have outdated policies and they fail with cfn-lint (version 1.30.0) The reason of failure is rule W3037. Example: The SQSPollerPolicy:

"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "sqs:ChangeMessageVisibility",
      "sqs:ChangeMessageVisibilityBatch",
      "sqs:DeleteMessage",
      "sqs:DeleteMessageBatch",
      "sqs:GetQueueAttributes",
      "sqs:ReceiveMessage"
    ],
    "Resource": {
      "Fn::Sub": [
        "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
        {
          "queueName": {
            "Ref": "QueueName"
          }
        }
      ]
    }
  }
]

Steps to reproduce

use the following in a CFN template

  SQSReader
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./thecode
      Description: Parses Pulse events and writes them in the Staging bucket
      Events:
        TheQueue:
          Type: SQS
          Properties:
            BatchSize: 10
            Enabled: True
            MaximumBatchingWindowInSeconds: 60
            Queue: !GetAtt TheQueue.Arn
            ScalingConfig:
              MaximumConcurrency: 4
      Handler: SomeClass:handleRequest
      Policies:
        - SQSPollerPolicy:
            QueueName: !GetAtt PulseEventsStreamQueue.QueueName
      Tracing: Active

Observed result

The policy template has rights that no longer exist

Expected result

A valid policy

Additional environment details

  1. OS: Linux
  2. If using the SAM CLI, sam --version:
  3. AWS region: eu-west-1

axthosarouris avatar Mar 14 '25 13:03 axthosarouris

Thanks for the report.

There's a test run with these failures here: https://github.com/aws/serverless-application-model/actions/runs/13912627739/job/38929834041

It's interesting here because it looks like these actions ("sqs:DeleteMessageBatch", etc) don't seem to exist, and the Batch versions of these APIs just use the permissions for the individual action APIs (https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-api-permissions-reference.html). So it doesn't look like these actions actually give permissions for anything.

We have to analyze what we do in this case. Thanks again.

valerena avatar Mar 18 '25 01:03 valerena

For the moment we're ignoring W3037 in SAM's tests, and I would recommend you to do the same as a short term solution for this. We're still coming up with a better approach to see what we do with these permissions long term.

valerena avatar Mar 22 '25 00:03 valerena