π§ AWS SQS Queue policy allows public access - prod.logic.yamlπ’
- Contextual name: π§ prod.logic.yamlπ’
- ID:
/ce/ca/aws/sqs/queue-public-policy/prod.logic.yaml - Tags:
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Usesβ
- π AWS SQS Queue
- π AWS SQS Queue - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2026-04-25T12:04:02.307488781Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 300 | βοΈ otherwise | βοΈ null |
| π’ | test2 | βοΈ 300 | βοΈ otherwise | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage, sqs:SendMessage, sqs:DeleteMessage, ... 2 elements]) | βοΈ null |
| π’ | test4 | βοΈ 199 | βοΈ CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements]) | βοΈ null |
| π’ | test5 | βοΈ 199 | βοΈ CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements]) | βοΈ null |
| π’ | test6 | βοΈ 199 | βοΈ CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements]) | βοΈ null |
| π’ | test7 | βοΈ 299 | βοΈ CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage, sqs:SendMessage, sqs:DeleteMessage, ... 2 elements]) | βοΈ null |
| π’ | test8 | βοΈ 299 | βοΈ CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:ReceiveMessage, sqs:SendMessage, sqs:DeleteMessage, ... 2 elements]) | βοΈ null |
| π’ | test9 | βοΈ 199 | βοΈ CA10__policyExt__c .allows(EXTERNAL_PRINCIPAL, [sqs:SetQueueAttributes, sqs:DeleteQueue, sqs:AddPermission, ... 4 elements]) | βοΈ null |
| π’ | test10 | βοΈ 300 | βοΈ otherwise | βοΈ null |
Generation Bundleβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/sqs/queue-public-policy/policy.yaml | F2A4166CF383A14F377FCE12BD0D82B9 |
| Open | /ce/ca/aws/sqs/queue-public-policy/prod.logic.yaml | 3808D589D6089C13841CC03E0DC0F23B |
| Open | /ce/ca/aws/sqs/queue-public-policy/test-data.json | D1F5A535A03385B293B3D8669A04732A |
| Open | /types/CA10__CaAwsQueue__c/object.extracts.yaml | C99AA06C51D1DC9FFE094C4102908EC9 |
Available Commandsβ
repo-manager policies generate FULL /ce/ca/aws/sqs/queue-public-policy/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/sqs/queue-public-policy/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/sqs/queue-public-policy/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/sqs/queue-public-policy/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/sqs/queue-public-policy/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsQueue__c"
testData:
- file: "test-data.json"
importExtracts:
- file: "/types/CA10__CaAwsQueue__c/object.extracts.yaml"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "The queue policy grants public administrative access to the SQS queue."
remediationMessage: "Update the queue policy to remove public administrative permissions."
check:
AWS_POLICY_ALLOWS:
policyExtField: "CA10__policyExt__c"
widestAcceptableAccessLevel: "EXTERNAL_PRINCIPAL"
actions:
- "sqs:SetQueueAttributes"
- "sqs:DeleteQueue"
- "sqs:AddPermission"
- "sqs:RemovePermission"
- "sqs:PurgeQueue"
- "sqs:TagQueue"
- "sqs:UntagQueue"
- status: "INCOMPLIANT"
currentStateMessage: "The queue policy grants public access to queue messages or metadata."
remediationMessage: "Update the queue policy to restrict message and metadata access to trusted principals."
check:
AWS_POLICY_ALLOWS:
policyExtField: "CA10__policyExt__c"
widestAcceptableAccessLevel: "EXTERNAL_PRINCIPAL"
actions:
- "sqs:ReceiveMessage"
- "sqs:SendMessage"
- "sqs:DeleteMessage"
- "sqs:ChangeMessageVisibility"
- "sqs:GetQueueAttributes"
otherwise:
status: "COMPLIANT"
currentStateMessage: "The queue policy does not allow public access."