github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/sqs/queue_encryption_with_cmk.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/sqs/queue_encryption_with_cmk.go (about)

     1  package sqs
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckQueueEncryptionUsesCMK = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0135",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "sqs",
    16  		ShortCode:   "queue-encryption-use-cmk",
    17  		Summary:     "SQS queue should be encrypted with a CMK.",
    18  		Impact:      "The SQS queue messages could be read if compromised. Key management is very limited when using default keys.",
    19  		Resolution:  "Encrypt SQS Queue with a customer-managed key",
    20  		Explanation: `Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.`,
    21  		Links: []string{
    22  			"https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformQueueEncryptionUsesCMKGoodExamples,
    26  			BadExamples:         terraformQueueEncryptionUsesCMKBadExamples,
    27  			Links:               terraformQueueEncryptionUsesCMKLinks,
    28  			RemediationMarkdown: terraformQueueEncryptionUsesCMKRemediationMarkdown,
    29  		},
    30  		CloudFormation: &scan.EngineMetadata{
    31  			GoodExamples:        cloudFormationQueueEncryptionUsesCMKGoodExamples,
    32  			BadExamples:         cloudFormationQueueEncryptionUsesCMKBadExamples,
    33  			Links:               cloudFormationQueueEncryptionUsesCMKLinks,
    34  			RemediationMarkdown: cloudFormationQueueEncryptionUsesCMKRemediationMarkdown,
    35  		},
    36  		Severity: severity.High,
    37  	},
    38  	func(s *state.State) (results scan.Results) {
    39  		for _, queue := range s.AWS.SQS.Queues {
    40  			if queue.Metadata.IsUnmanaged() {
    41  				continue
    42  			}
    43  			if queue.Encryption.KMSKeyID.EqualTo("alias/aws/sqs") {
    44  				results.Add(
    45  					"Queue is not encrypted with a customer managed key.",
    46  					queue.Encryption.KMSKeyID,
    47  				)
    48  			} else {
    49  				results.AddPassed(&queue)
    50  			}
    51  		}
    52  		return
    53  	},
    54  )