--- title: SQS policy allows all actions description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQS policy allows all actions --- # SQS policy allows all actions {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-sqs-policy-allows-all-actions` **Provider:** AWS **Platform:** Terraform **Severity:** High **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) ### Description{% #description %} When SQS policies use the wildcard (`*`) for actions, they grant excessive permissions that violate the principle of least privilege, potentially allowing unauthorized entities to perform any operation on the queue. This vulnerability creates a significant security risk where attackers could read sensitive messages, delete messages, or modify queue configurations if they gain access. To avoid excessive permissions, replace wildcards with specific actions, such as `"Action": "sqs:SendMessage"` instead of the insecure `"Action": "*"`. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_sqs_queue" "negative1" { name = "examplequeue" } resource "aws_sqs_queue_policy" "negative2" { queue_url = aws_sqs_queue.q.id policy = <