github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/sqs/enable_queue_encryption.go (about) 1 package sqs 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckEnableQueueEncryption = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AWS-0096", 14 Provider: providers.AWSProvider, 15 Service: "sqs", 16 ShortCode: "enable-queue-encryption", 17 Summary: "Unencrypted SQS queue.", 18 Impact: "The SQS queue messages could be read if compromised", 19 Resolution: "Turn on SQS Queue encryption", 20 Explanation: `Queues should be encrypted to protect queue contents.`, 21 Links: []string{ 22 "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html", 23 }, 24 Terraform: &scan.EngineMetadata{ 25 GoodExamples: terraformEnableQueueEncryptionGoodExamples, 26 BadExamples: terraformEnableQueueEncryptionBadExamples, 27 Links: terraformEnableQueueEncryptionLinks, 28 RemediationMarkdown: terraformEnableQueueEncryptionRemediationMarkdown, 29 }, 30 CloudFormation: &scan.EngineMetadata{ 31 GoodExamples: cloudFormationEnableQueueEncryptionGoodExamples, 32 BadExamples: cloudFormationEnableQueueEncryptionBadExamples, 33 Links: cloudFormationEnableQueueEncryptionLinks, 34 RemediationMarkdown: cloudFormationEnableQueueEncryptionRemediationMarkdown, 35 }, 36 Severity: severity.High, 37 }, 38 func(s *state.State) (results scan.Results) { 39 for _, queue := range s.AWS.SQS.Queues { 40 if queue.Metadata.IsUnmanaged() { 41 continue 42 } 43 if queue.Encryption.KMSKeyID.IsEmpty() && queue.Encryption.ManagedEncryption.IsFalse() { 44 results.Add( 45 "Queue is not encrypted", 46 queue.Encryption, 47 ) 48 } else { 49 results.AddPassed(&queue) 50 } 51 } 52 return 53 }, 54 )