What Changed
Security improvement to the AWS S3 Server Access and Config CloudFormation template, tightening SQS queue access policy from wildcard principal to S3 service-specific access.
Security Impact (Visibility & Fidelity)
The change restricts SQS queue access from “Principal”: “*” (any AWS entity) to “Principal”: {“Service”: “s3.amazonaws.com”} (S3 service only). This follows AWS security best practices by implementing the principle of least privilege for queue access permissions.
Deployments using the previous template had overly permissive SQS access that could potentially allow unintended access to log processing queues. This update reduces the attack surface while maintaining proper S3-to-SQS log delivery functionality.
Affected Files
Solutions/AWS_AccessLogs/CloudFormationTemplates/AWSS3ServerAccessAndConfig.json