--- title: SQS policy with public access description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQS policy with public access --- # SQS policy with public access {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `d994585f-defb-4b51-b6d2-c70f020ceb10` **Cloud Provider:** AWS **Platform:** Ansible **Severity:** Medium **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html) ### Description{% #description %} SQS queue policies must not grant Allow permissions to a wildcard principal (`*`) combined with wildcard actions, as this gives any principal unrestricted ability to send, receive, delete, or otherwise manipulate queue messages, risking data exposure, message loss, or unauthorized message injection. In Ansible tasks using the `community.aws.sqs_queue` or `sqs_queue` module, inspect the `policy` property for policy statements where `Effect` is `"Allow"`, `Principal` is `"*"` (either `Principal == "*"` or `Principal.AWS` contains `"*"`), and `Action` contains `"*"`. Such statements are flagged. Define explicit principals (AWS account ARNs, IAM role/user ARNs, or service principals) and restrict `Action` to the minimal SQS actions required (for example, `sqs:SendMessage`, `sqs:ReceiveMessage`). You can optionally add conditions (source ARN/IP, VPC) to further limit access. Secure configuration example: ```yaml - name: Create SQS queue with restricted policy community.aws.sqs_queue: name: my-queue policy: Version: "2012-10-17" Statement: - Sid: AllowSpecificAccount Effect: Allow Principal: AWS: "arn:aws:iam::123456789012:root" Action: - "sqs:SendMessage" - "sqs:ReceiveMessage" Resource: "arn:aws:sqs:us-east-1:123456789012:my-queue" ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml - name: First SQS queue with policy community.aws.sqs_queue: name: my-queue1 region: ap-southeast-1 default_visibility_timeout: 120 message_retention_period: 86400 maximum_message_size: 1024 delivery_delay: 30 receive_message_wait_time: 20 policy: Version: '2012-10-17' Statement: - Effect: Allow Action: sqs:* Resource: '*' Principal: Principal make_default: false state: present ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml - name: First SQS queue with policy community.aws.sqs_queue: name: my-queue1 region: ap-southeast-1 default_visibility_timeout: 120 message_retention_period: 86400 maximum_message_size: 1024 delivery_delay: 30 receive_message_wait_time: 20 policy: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "sqs:*" Resource: "*" Principal: "*" make_default: false state: present - name: Second SQS queue with policy community.aws.sqs_queue: name: my-queue2 region: ap-southeast-3 default_visibility_timeout: 120 message_retention_period: 86400 maximum_message_size: 1024 delivery_delay: 30 receive_message_wait_time: 20 policy: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "*" Resource: "*" Principal: AWS: "*" make_default: false state: present ```