AWS securityhub medium security documentation change
Summary
Added policy evaluation limitations note for SQS access controls
Security assessment
Introduces documentation about security control limitations regarding policy conditions with wildcards/variables, addressing potential misconfigurations in SQS queue access policies that could lead to security vulnerabilities.
Diff
diff --git a/securityhub/latest/userguide/sqs-controls.md b/securityhub/latest/userguide/sqs-controls.md index 6c4311d02..dec140686 100644 --- a//securityhub/latest/userguide/sqs-controls.md +++ b//securityhub/latest/userguide/sqs-controls.md @@ -9,3 +9 @@ -These AWS Security Hub controls evaluate the Amazon Simple Queue Service (Amazon SQS) service and resources. - -These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). +These AWS Security Hub controls evaluate the Amazon Simple Queue Service (Amazon SQS) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). @@ -84,0 +83,4 @@ An Amazon SQS access policy can allow public access to an SQS queue, which might +###### Note + +This control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the Amazon SQS access policy for a queue must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _AWS Identity and Access Management User Guide_. +