Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableQueueEncryption = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0096", Provider: provider.AWSProvider, Service: "sqs", ShortCode: "enable-queue-encryption", Summary: "Unencrypted SQS queue.", Impact: "The SQS queue messages could be read if compromised", Resolution: "Turn on SQS Queue encryption", Explanation: `Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.`, Links: []string{ "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformEnableQueueEncryptionGoodExamples, BadExamples: terraformEnableQueueEncryptionBadExamples, Links: terraformEnableQueueEncryptionLinks, RemediationMarkdown: terraformEnableQueueEncryptionRemediationMarkdown, }, CloudFormation: &rules.EngineMetadata{ GoodExamples: cloudFormationEnableQueueEncryptionGoodExamples, BadExamples: cloudFormationEnableQueueEncryptionBadExamples, Links: cloudFormationEnableQueueEncryptionLinks, RemediationMarkdown: cloudFormationEnableQueueEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results rules.Results) { for _, queue := range s.AWS.SQS.Queues { if queue.Encryption.KMSKeyID.IsEmpty() || queue.Encryption.KMSKeyID.EqualTo("alias/aws/sqs") { results.Add( "Queue is not encrypted with a customer managed key.", &queue, queue.Encryption.KMSKeyID, ) } else { results.AddPassed(&queue) } } return }, )
View Source
var CheckNoWildcardsInPolicyDocuments = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0097", Provider: provider.AWSProvider, Service: "sqs", ShortCode: "no-wildcards-in-policy-documents", Summary: "AWS SQS policy document has wildcard action statement.", Impact: "SQS policies with wildcard actions allow more that is required", Resolution: "Keep policy scope to the minimum that is required to be effective", Explanation: `SQS Policy actions should always be restricted to a specific set. This ensures that the queue itself cannot be modified or deleted, and prevents possible future additions to queue actions to be implicitly allowed.`, Links: []string{ "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformNoWildcardsInPolicyDocumentsGoodExamples, BadExamples: terraformNoWildcardsInPolicyDocumentsBadExamples, Links: terraformNoWildcardsInPolicyDocumentsLinks, RemediationMarkdown: terraformNoWildcardsInPolicyDocumentsRemediationMarkdown, }, CloudFormation: &rules.EngineMetadata{ GoodExamples: cloudFormationNoWildcardsInPolicyDocumentsGoodExamples, BadExamples: cloudFormationNoWildcardsInPolicyDocumentsBadExamples, Links: cloudFormationNoWildcardsInPolicyDocumentsLinks, RemediationMarkdown: cloudFormationNoWildcardsInPolicyDocumentsRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results rules.Results) { for _, queue := range s.AWS.SQS.Queues { var fail bool for _, statement := range queue.Policy.Statements { if strings.ToLower(statement.Effect) != "allow" { continue } for _, action := range statement.Action { action = strings.ToLower(action) if action == "*" || action == "sqs:*" { fail = true results.Add( "Queue policy does not restrict actions to a known set.", &queue, queue.Policy, ) break } } } if !fail { results.AddPassed(&queue) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.