[Bug]: False positive on check - "Check if SQS queues have policy set as Public" about prowler HOT 2 CLOSED

Hi @yuliang29,

Thank you for reporting this issue and providing detailed steps to reproduce the false positive scenario in the Prowler AWS scan.

From the provided SQS access policy snippet, it seems that the condition indeed limits access based on the source S3 ARN, even though it lacks the account ID. This may be causing the misinterpretation in our policy condition parser.

To address this false positive, here are some insights and possible workarounds:

Policy Condition Parsing: The current policy condition parser might not accurately interpret conditions without explicit account IDs. This could lead to false positives, especially in scenarios where conditions are based solely on resource ARNs without account specifics.

Parser Enhancement: We can consider enhancing the parser logic to handle scenarios like the one you've described, where conditions might lack explicit account IDs but still have valid restrictions based on resource ARNs.

Adjusting Policies: In the meantime, as a workaround, you might explicitly specify the AWS account ID in your conditions wherever possible to ensure accurate evaluation by the policy parser.

from prowler.

Hi @yuliang29 @SimardeepSingh-zsh I was checking this issue and I noticed that this is fixed in the master branch. As you can see in this part of the code https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/lib/policy_condition_parser/policy_condition_parser.py#L24-L43, we are handling the aws:SourceArn using the ArnEquals condition, so that check will raise a PASS finding for a SQS queue with that policy.

I'm going to close it since it is no longer an issue. Please feel free to reopen it if you notice the same behaviour again.

Thanks for using Prowler 🚀

from prowler.