sqs

package
v0.2.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 17, 2021 License: MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var CheckEnableQueueEncryption = rules.Register(
	rules.Rule{
		AVDID:       "AVD-AWS-0096",
		Provider:    provider.AWSProvider,
		Service:     "sqs",
		ShortCode:   "enable-queue-encryption",
		Summary:     "Unencrypted SQS queue.",
		Impact:      "The SQS queue messages could be read if compromised",
		Resolution:  "Turn on SQS Queue encryption",
		Explanation: `Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.`,
		Links: []string{
			"https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html",
		},
		Severity: severity.High,
	},
	func(s *state.State) (results rules.Results) {
		for _, queue := range s.AWS.SQS.Queues {
			if queue.Encryption.KMSKeyID.IsEmpty() || queue.Encryption.KMSKeyID.EqualTo("alias/aws/sqs") {
				results.Add(
					"Queue is not encrypted with a customer managed key.",
					&queue,
					queue.Encryption.KMSKeyID,
				)
			} else {
				results.AddPassed(&queue)
			}
		}
		return
	},
)
View Source
var CheckNoWildcardsInPolicyDocuments = rules.Register(
	rules.Rule{
		AVDID:      "AVD-AWS-0097",
		Provider:   provider.AWSProvider,
		Service:    "sqs",
		ShortCode:  "no-wildcards-in-policy-documents",
		Summary:    "AWS SQS policy document has wildcard action statement.",
		Impact:     "SQS policies with wildcard actions allow more that is required",
		Resolution: "Keep policy scope to the minimum that is required to be effective",
		Explanation: `SQS Policy actions should always be restricted to a specific set.

This ensures that the queue itself cannot be modified or deleted, and prevents possible future additions to queue actions to be implicitly allowed.`,
		Links: []string{
			"https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html",
		},
		Severity: severity.High,
	},
	func(s *state.State) (results rules.Results) {
		for _, queue := range s.AWS.SQS.Queues {
			var fail bool
			for _, statement := range queue.Policy.Statements {
				if strings.ToLower(statement.Effect) != "allow" {
					continue
				}
				for _, action := range statement.Action {
					action = strings.ToLower(action)
					if action == "*" || action == "sqs:*" {
						fail = true
						results.Add(
							"Queue policy does not restrict actions to a known set.",
							&queue,
							queue.Policy,
						)
						break
					}
				}
			}
			if !fail {
				results.AddPassed(&queue)
			}
		}
		return
	},
)

Functions

This section is empty.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL