--- title: SQS policy allows all actions description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQS policy allows all actions --- # SQS policy allows all actions {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `ed9b3beb-92cf-44d9-a9d2-171eeba569d4` **Cloud Provider:** AWS **Platform:** Ansible **Severity:** High **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html) ### Description{% #description %} SQS queue policies must not grant wildcard (`*`) actions. Allowing all actions on a queue enables unauthorized access, message retrieval or deletion, and queue modification, which can lead to data exposure or service disruption. For Ansible SQS resources (`community.aws.sqs_queue` and `sqs_queue`), inspect the `policy` document and ensure no `Statement` with `Effect: "Allow"` has `Action` set to `*` or contains `*`. Resources with `Action` set to `*` or `Action` arrays that include `*` are flagged. Instead, specify explicit SQS actions (for example, `sqs:SendMessage`, `sqs:ReceiveMessage`, `sqs:DeleteMessage`) and restrict principals to the minimum required. Secure example with explicit actions and principal: ```yaml - name: Create SQS queue with restricted policy community.aws.sqs_queue: name: my-queue policy: | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/MyRole" }, "Action": ["sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage"], "Resource": "arn:aws:sqs:us-east-1:123456789012:my-queue" } ] } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml - name: Create SQS queue with redrive policy community.aws.sqs_queue: name: my-queue region: ap-southeast-2 default_visibility_timeout: 120 message_retention_period: 86400 maximum_message_size: 1024 delivery_delay: 30 receive_message_wait_time: 20 policy: Version: '2012-10-17' Statement: - Effect: Allow Action: logs:CreateLogGroup Resource: '*' make_default: false state: present ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml - name: Second SQS queue with policy community.aws.sqs_queue: name: my-queue2 region: ap-southeast-3 default_visibility_timeout: 120 message_retention_period: 86400 maximum_message_size: 1024 delivery_delay: 30 receive_message_wait_time: 20 policy: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "aws:action" Resource: "*" - Effect: "Allow" Action: "*" Resource: "*" make_default: false state: present ```