--- title: SQS queue exposed description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQS queue exposed --- # SQS queue exposed {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `abb06e5f-ef9a-4a99-98c6-376d396bfcdf` **Cloud Provider:** AWS **Platform:** Terraform **Severity:** High **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#policy) ### Description{% #description %} An SQS Queue is considered exposed when its policy allows access from any principal by setting `Principal` to `*`. This creates a security vulnerability where unauthorized users can send messages to your queue, potentially leading to information disclosure or denial of service attacks. To secure your SQS queue, avoid using wildcard principals in your policy statements. Instead, explicitly specify the ARNs of services or resources that should have access to the queue, as shown in the following secure example: ``` { "Statement": [ { "Effect": "Allow", "Action": "sqs:SendMessage", "Resource": "${aws_sqs_queue.q.arn}", "Condition": { "ArnEquals": { "aws:SourceArn": "${aws_sns_topic.example.arn}" } } } ] } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform module "user_queue" { source = "terraform-aws-modules/sqs/aws" version = "~> 2.0" name = "user" tags = { Service = "user" Environment = "dev" } policy = <