--- policy: /ce/ca/aws/sqs/queue-public-policy logic: /ce/ca/aws/sqs/queue-public-policy/prod.logic.yaml executionTime: 2026-04-25T12:04:02.307488781Z generationMs: 49 executionMs: 1765 rows: - id: test1 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 300 actual: 300 conditionText: expected: otherwise actual: otherwise runtimeError: {} - id: test2 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 300 actual: 300 conditionText: expected: otherwise actual: otherwise runtimeError: {} - id: test3 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage,\ \ sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])" actual: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage,\ \ sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])" runtimeError: {} - id: test4 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes,\ \ sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])" actual: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes,\ \ sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])" runtimeError: {} - id: test5 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes,\ \ sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])" actual: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes,\ \ sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])" runtimeError: {} - id: test6 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes,\ \ sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])" actual: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes,\ \ sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])" runtimeError: {} - id: test7 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage,\ \ sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])" actual: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage,\ \ sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])" runtimeError: {} - id: test8 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage,\ \ sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])" actual: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage,\ \ sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])" runtimeError: {} - id: test9 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes,\ \ sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])" actual: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes,\ \ sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])" runtimeError: {} - id: test10 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 300 actual: 300 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/sqs/queue-public-policy/policy.yaml md5Hash: F2A4166CF383A14F377FCE12BD0D82B9 content: | --- names: full: "AWS SQS Queue policy allows public access" contextual: "Queue policy allows public access" description: > Ensure that Amazon SQS queue policies do not grant public access. A queue policy that allows anonymous or overly broad external principals can expose queued data, permit unauthorized message injection, and allow destructive administrative actions against the queue. type: "COMPLIANCE_POLICY" categories: - "SECURITY" frameworkMappings: - "/frameworks/cloudaware/resource-security/public-data-access" - "/frameworks/aws-fsbp-v1.0.0/sqs/03" similarPolicies: awsSecurityHub: - name: "[SQS.3] SQS queue access policies should not allow public access" url: "https://docs.aws.amazon.com/securityhub/latest/userguide/sqs-controls.html#sqs-3" - path: /ce/ca/aws/sqs/queue-public-policy/prod.logic.yaml md5Hash: 3808D589D6089C13841CC03E0DC0F23B content: | --- inputType: "CA10__CaAwsQueue__c" testData: - file: "test-data.json" importExtracts: - file: "/types/CA10__CaAwsQueue__c/object.extracts.yaml" conditions: - status: "INCOMPLIANT" currentStateMessage: "The queue policy grants public administrative access to the SQS queue." remediationMessage: "Update the queue policy to remove public administrative permissions." check: AWS_POLICY_ALLOWS: policyExtField: "CA10__policyExt__c" widestAcceptableAccessLevel: "EXTERNAL_PRINCIPAL" actions: - "sqs:SetQueueAttributes" - "sqs:DeleteQueue" - "sqs:AddPermission" - "sqs:RemovePermission" - "sqs:PurgeQueue" - "sqs:TagQueue" - "sqs:UntagQueue" - status: "INCOMPLIANT" currentStateMessage: "The queue policy grants public access to queue messages or metadata." remediationMessage: "Update the queue policy to restrict message and metadata access to trusted principals." check: AWS_POLICY_ALLOWS: policyExtField: "CA10__policyExt__c" widestAcceptableAccessLevel: "EXTERNAL_PRINCIPAL" actions: - "sqs:ReceiveMessage" - "sqs:SendMessage" - "sqs:DeleteMessage" - "sqs:ChangeMessageVisibility" - "sqs:GetQueueAttributes" otherwise: status: "COMPLIANT" currentStateMessage: "The queue policy does not allow public access." - path: /ce/ca/aws/sqs/queue-public-policy/test-data.json md5Hash: D1F5A535A03385B293B3D8669A04732A content: | [ { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "300", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__policyExt__c": "", "Id": "test1" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "300", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__policyExt__c": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":\"sqs:SendMessage\",\"Resource\":\"*\",\"Condition\":{\"ArnEquals\":{\"aws:SourceArn\":\"arn:aws:events:us-east-1:123456789012:rule/example\"}},\"AnalyzedResult\":{\"accessLevel\":\"SAME_ACCOUNT\",\"reason\":\"Policy is limited to the same account\"}}]}", "Id": "test2" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage, sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__policyExt__c": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:SendMessage\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id": "test3" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__policyExt__c": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:DeleteQueue\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id": "test4" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__policyExt__c": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:PurgeQueue\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id": "test5" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__policyExt__c": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:AddPermission\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id": "test6" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage, sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__policyExt__c": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:ReceiveMessage\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id": "test7" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage, sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__policyExt__c": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:GetQueueAttributes\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id": "test8" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__policyExt__c": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"SQS:*\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id": "test9" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "300", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__policyExt__c": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"sqs:*\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id": "test10" } ] - path: /types/CA10__CaAwsQueue__c/object.extracts.yaml md5Hash: C99AA06C51D1DC9FFE094C4102908EC9 content: | --- extracts: - name: CA10__policyExt__c value: FIELD: path: CA10__policyExt__c script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "300", "conditionText" : "otherwise", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "300", "conditionText" : "otherwise", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage, sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])", "runtimeError" : null } }, { "Id" : "test4", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])", "runtimeError" : null } }, { "Id" : "test5", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])", "runtimeError" : null } }, { "Id" : "test6", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])", "runtimeError" : null } }, { "Id" : "test7", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage, sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])", "runtimeError" : null } }, { "Id" : "test8", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage, sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])", "runtimeError" : null } }, { "Id" : "test9", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])", "runtimeError" : null } }, { "Id" : "test10", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "300", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsQueue__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__policyExt__c" : "", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__policyExt__c" : "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":\"sqs:SendMessage\",\"Resource\":\"*\",\"Condition\":{\"ArnEquals\":{\"aws:SourceArn\":\"arn:aws:events:us-east-1:123456789012:rule/example\"}},\"AnalyzedResult\":{\"accessLevel\":\"SAME_ACCOUNT\",\"reason\":\"Policy is limited to the same account\"}}]}", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__policyExt__c" : "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:SendMessage\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__policyExt__c" : "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:DeleteQueue\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id" : "test4" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__policyExt__c" : "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:PurgeQueue\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id" : "test5" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__policyExt__c" : "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:AddPermission\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id" : "test6" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__policyExt__c" : "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:ReceiveMessage\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id" : "test7" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__policyExt__c" : "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:GetQueueAttributes\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id" : "test8" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__policyExt__c" : "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"SQS:*\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id" : "test9" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__policyExt__c" : "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"sqs:*\",\"Resource\":\"*\",\"AnalyzedResult\":{\"accessLevel\":\"ANONYMOUS_PRINCIPAL\",\"reason\":\"All principals '*' do not restrict access\"}}]}", "Id" : "test10" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsQueue__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__policyExt__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var AwsPolicyAllows = new function () { function accessLevelOrdinal(accessLevel) { if (accessLevel === 'NOBODY') { return 0; } else if (accessLevel === 'SAME_ACCOUNT') { return 1; } else if (accessLevel === 'SAME_ORG') { return 2; } else if (accessLevel === 'TRUSTED_PRINCIPAL') { return 3; } else if (accessLevel === 'AWS_SERVICE') { return 4; } else if (accessLevel === 'EXTERNAL_PRINCIPAL') { return 5; } else if (accessLevel === 'ANONYMOUS_PRINCIPAL') { return 6; } else { return 7; } } function ensureArray(obj) { if (obj == null) { return []; } else if (Array.isArray(obj)) { return obj; } else { return [obj]; } } function arrayExec(obj, func) { if (obj == null) { return false; } else if (Array.isArray(obj)) { for (var i = 0; i < obj.length; i++) { if (func(obj[i], i)) { return true; } } return false; } else { return func(obj, 0); } } function wildcardMatches(text, pattern) { if (pattern.indexOf("*") === -1) { return text.toLowerCase() === pattern.toLowerCase(); } var regex = new RegExp("^" + pattern.toLowerCase().replaceAll("*", ".*") + "$"); return regex.test(text.toLowerCase()); } function isActionMatches(action, statement) { if (statement.Action) { let matches = false; arrayExec(statement.Action, function (statementAction) { if (wildcardMatches(action, statementAction)) { matches = true; // break; return true; } }); return matches; } else if (statement.NotAction) { let matches = false; arrayExec(statement.NotAction, function (statementAction) { if (wildcardMatches(action, statementAction)) { matches = true; // break; return true; } }); return !matches; } } function allowResources(openedResources, statement, statementIndex) { if (statement.Resource) { arrayExec(statement.Resource, function (resource) { openedResources.push({ allowType: "R", allowResource: resource, allowStatement: statementIndex, accessLevel: statement.AnalyzedResult.accessLevel, accessLevelOrdinal: accessLevelOrdinal(statement.AnalyzedResult.accessLevel) }); }); } else if (statement.NotResource) { arrayExec(statement.NotResource, function (resource) { openedResources.push({ allowType: "NR", allowResource: resource, allowStatement: statementIndex, accessLevel: statement.AnalyzedResult.accessLevel, accessLevelOrdinal: accessLevelOrdinal(statement.AnalyzedResult.accessLevel) }); }); } } function denyResources(openedResources, statement, statementIndex) { var denyType, list; if (statement.Resource) { denyType = "R"; list = statement.Resource; } else if (statement.NotResource) { denyType = "NR"; list = statement.NotResource; } else { return; } var closingAccessLevelOrdinal = accessLevelOrdinal(statement.AnalyzedResult.accessLevel); arrayExec(list, function (resource) { for (var i = 0; i < openedResources.length; i++) { var openedResource = openedResources[i]; if (openedResource.accessLevelOrdinal <= closingAccessLevelOrdinal) { // there is no sense processing deny if it is more widely open than the original allow continue; } if (openedResource.allowType === denyType) { if (wildcardMatches(openedResource.allowResource, resource)) { // openedResource.denyStatement = statementIndex; openedResource.denyType = denyType; openedResource.denyResource = resource; openedResource.accessLevel = statement.AnalyzedResult.accessLevel; openedResource.accessLevelOrdinal = closingAccessLevelOrdinal; } } else { if (!wildcardMatches(openedResource.allowResource, resource)) { // openedResource.denyStatement = statementIndex; openedResource.denyType = denyType; openedResource.denyResource = resource; openedResource.accessLevel = statement.AnalyzedResult.accessLevel; openedResource.accessLevelOrdinal = closingAccessLevelOrdinal; } } } }); } function calculateSingleAccess(policyExt, action) { var openedResources = []; var result; arrayExec(policyExt.Statement, function (statement, statementIndex) { if (statement.Effect !== 'Allow') { // we're accumulating only what's allowed return false; // continue; } if (statement.AnalyzedResult == null) { // we can't analyze the policy without pre-analysis done on the CMDB side result = { accessLevelOrdinal: accessLevelOrdinal("ANONYMOUS_PRINCIPAL"), accessLevel: "ANONYMOUS_PRINCIPAL", reason: 'There is no analyzed result for a statement #' + (statementIndex + 1) }; return true; // break; } if (isActionMatches(action, statement)) { allowResources(openedResources, statement, statementIndex); } }); if (result) { return [result]; } if (openedResources.length == 0) { return [{ accessLevelOrdinal: accessLevelOrdinal("NOBODY"), accessLevel: "NOBODY", reason: "Action " + action + " is implicitly denied. None of the statements are matching this action." }]; } arrayExec(policyExt.Statement, function (statement, statementIndex) { if (statement.Effect !== 'Deny') { // we're accumulating only what's denied return false; // continue; } if (statement.AnalyzedResult == null) { // we can't analyze the policy without pre-analysis done on the CMDB side result = { accessLevelOrdinal: accessLevelOrdinal("ANONYMOUS_PRINCIPAL"), accessLevel: "ANONYMOUS_PRINCIPAL", reason: 'There is no analyzed result for a statement #' + (statementIndex + 1) }; return true; // break; } if (isActionMatches(action, statement)) { denyResources(openedResources, statement, statementIndex); } }); if (result) { return [result]; } /** * чтобы "закрыть" Allow тебе нужно * 1) иметь accessLevel уже чем у Allow * 2) закрыть все Resource у Allow своими, которые в Deny */ return openedResources; } function resourceAccessibleBy(openedResources, widestAcceptableAccessLevel) { var ordinal = accessLevelOrdinal(widestAcceptableAccessLevel); return openedResources.filter(openedResource => openedResource.accessLevelOrdinal > ordinal); } this.calculateAccess = function(policyExt, actions, widestAcceptableAccessLevel) { var openedResources = []; arrayExec(actions, function (action) { var actionResult = calculateSingleAccess(policyExt, action); if (Array.isArray(actionResult)) { var filtered = resourceAccessibleBy(actionResult, widestAcceptableAccessLevel); if (filtered.length > 0) { var lowestLevel = null; arrayExec(filtered, function (resource) { if (lowestLevel == null) { lowestLevel = resource.accessLevel; } else { var resourceAccessLevelOrdinal = accessLevelOrdinal(resource.accessLevel); var lowestLevelOrdinal = accessLevelOrdinal(lowestLevel); if (resourceAccessLevelOrdinal > lowestLevelOrdinal) { lowestLevel = resource.accessLevel; } } }); openedResources.push({ action: action, accessLevel: lowestLevel, accessLevelOrdinal: accessLevelOrdinal(lowestLevel), reason: 'Policy allows action ' + action + ' with access level up to ' + lowestLevel, openedResources: filtered }); } } else { actionResult.action = action; openedResources.push(actionResult); } }); return openedResources; } }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function awsPolicyAllows4() { var policyExt3 = obj.CA10__policyExt__c; if (policyExt3 === '') { policyExt3 = '{}'; } var calculated2 = AwsPolicyAllows.calculateAccess(JSON.parse(policyExt3), ['sqs:SetQueueAttributes', 'sqs:DeleteQueue', 'sqs:AddPermission', 'sqs:RemovePermission', 'sqs:PurgeQueue', 'sqs:TagQueue', 'sqs:UntagQueue'], 'EXTERNAL_PRINCIPAL'); return calculated2.length > 0; } try { if (awsPolicyAllows4()) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements])", currentStateMessage: "The queue policy grants public administrative access to the SQS queue.", currentStateReferences: references1.join('\n'), remediation: "Update the queue policy to remove public administrative permissions.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[2], conditionIndex:[200..299] function awsPolicyAllows7() { var policyExt6 = obj.CA10__policyExt__c; if (policyExt6 === '') { policyExt6 = '{}'; } var calculated5 = AwsPolicyAllows.calculateAccess(JSON.parse(policyExt6), ['sqs:ReceiveMessage', 'sqs:SendMessage', 'sqs:DeleteMessage', 'sqs:ChangeMessageVisibility', 'sqs:GetQueueAttributes'], 'EXTERNAL_PRINCIPAL'); return calculated5.length > 0; } try { if (awsPolicyAllows7()) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage, sqs:SendMessage, sqs:DeleteMessage, ... 2 elements])", currentStateMessage: "The queue policy grants public access to queue messages or metadata.", currentStateReferences: references1.join('\n'), remediation: "Update the queue policy to restrict message and metadata access to trusted principals.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'COMPLIANT', conditionIndex: 300, conditionText: "otherwise", currentStateMessage: "The queue policy does not allow public access.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__policyExt__c AS CA10__policyExt__c, sObject.Id AS Id, process_CA10__CaAwsQueue__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__policyExt__c AS CA10__policyExt__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsQueue__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;