AWS Security ChangesHomeSearch

AWS securityhub medium security documentation change

Service: securityhub · 2025-06-04 · Security-related medium

File: securityhub/latest/userguide/sqs-controls.md

Summary

Added policy evaluation limitations note for SQS access controls

Security assessment

Introduces documentation about security control limitations regarding policy conditions with wildcards/variables, addressing potential misconfigurations in SQS queue access policies that could lead to security vulnerabilities.

Diff

diff --git a/securityhub/latest/userguide/sqs-controls.md b/securityhub/latest/userguide/sqs-controls.md
index 6c4311d02..dec140686 100644
--- a//securityhub/latest/userguide/sqs-controls.md
+++ b//securityhub/latest/userguide/sqs-controls.md
@@ -9,3 +9 @@
-These AWS Security Hub controls evaluate the Amazon Simple Queue Service (Amazon SQS) service and resources.
-
-These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
+These AWS Security Hub controls evaluate the Amazon Simple Queue Service (Amazon SQS) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
@@ -84,0 +83,4 @@ An Amazon SQS access policy can allow public access to an SQS queue, which might
+###### Note
+
+This control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the Amazon SQS access policy for a queue must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _AWS Identity and Access Management User Guide_.
+