Prisma Cloud: Reasoning behind policy "AWS SQS queue access policy is overly permissive" showing false negative or not alerting at all.
897
Created On 03/09/23 20:16 PM - Last Modified 05/23/24 18:06 PM
Symptom
One might be reviewing the policy's RQL for "AWS SQS queue access policy is overly permissive" in investigate and notice they are getting no results even though they are sure that they should get results.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sqs-get-queue-attributes' AND json.rule = attributes.Policy.Statement[?any(Effect equals Allow and Action anyStartWith sqs: and (Principal.AWS contains * or Principal equals ) and Condition does not exist)] exists
GUI Path: Investigate Page > Search RQL
Environment
- Prisma Cloud
- Amazon Web Services
Cause
This is due to how casing is handled and the fact that the policy's RQL is only accounting for lower case as seen below.
Action anyStartWith sqs:*And when creating an access policy for SQS in AWS it is detonated by default with uppercase.
GUI Path: in AWS console > SQS > Access Policy
Resolution
The fix for this as of now is to simply update the policies RQL by cloning the default policy and editing the RQL to reflect the following:
Action anyStartWith sqs:* or Action anyStartWith SQS:Once you do that, you should get results regardless of any access policy being lower or uppercase.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sqs-get-queue-attributes' AND json.rule = attributes.Policy.Statement[?any(Effect equals Allow and Action anyStartWith sqs: or Action anyStartWith SQS: and (Principal.AWS contains * or Principal equals ) and Condition does not exist)] exists
Additional Information
In AWS where you specify a value using a service namespace as an action prefix , it is case insensitive