fix(checks): AVD-AWS-0097 not triggered by "SQS:*"

[simar7]

Discussed in #8878

^{Originally posted by BenedekKovacsGMSL May 15, 2025}

Description

AVD-AWS-0097 does not report SQS:* as misconfiguration, even though action names are case insensitive (as per AWS documentation). Hence, SQS:* is exactly the same as sqs:*.

Desired Behavior

Having SQS:* in an SQS queue policy should be reported as a misconfiguration by Trivy (just as sqs:*).

Actual Behavior

Trivy skips over SQS:* in SQS queue policies and does not report it as a miscuniguration.

Reproduction Steps

- Configure SQS queue policy, which includes a statement with `actions = ["SQS:*"]`
- trivyignore.yaml file containing only misconfiguration rules to skip (notably not including `AVD-AWS-0097`)
- Run `trivy config . --ignorefile <<ignorefile path>>`

Target

None

Scanner

Misconfiguration

Output Format

None

Mode

None

Debug Output

-

Operating System

Ubuntu

Version

0.61.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

Fixed in aquasecurity/trivy-checks#413