Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableQueueEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0096", Provider: providers.AWSProvider, Service: "sqs", ShortCode: "enable-queue-encryption", Summary: "Unencrypted SQS queue.", Impact: "The SQS queue messages could be read if compromised", Resolution: "Turn on SQS Queue encryption", Explanation: `Queues should be encrypted to protect queue contents.`, Links: []string{ "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableQueueEncryptionGoodExamples, BadExamples: terraformEnableQueueEncryptionBadExamples, Links: terraformEnableQueueEncryptionLinks, RemediationMarkdown: terraformEnableQueueEncryptionRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableQueueEncryptionGoodExamples, BadExamples: cloudFormationEnableQueueEncryptionBadExamples, Links: cloudFormationEnableQueueEncryptionLinks, RemediationMarkdown: cloudFormationEnableQueueEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, queue := range s.AWS.SQS.Queues { if queue.Metadata.IsUnmanaged() { continue } if queue.Encryption.KMSKeyID.IsEmpty() && queue.Encryption.ManagedEncryption.IsFalse() { results.Add( "Queue is not encrypted", queue.Encryption, ) } else { results.AddPassed(&queue) } } return }, )
View Source
var CheckNoWildcardsInPolicyDocuments = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0097", Provider: providers.AWSProvider, Service: "sqs", ShortCode: "no-wildcards-in-policy-documents", Summary: "AWS SQS policy document has wildcard action statement.", Impact: "SQS policies with wildcard actions allow more that is required", Resolution: "Keep policy scope to the minimum that is required to be effective", Explanation: `SQS Policy actions should always be restricted to a specific set. This ensures that the queue itself cannot be modified or deleted, and prevents possible future additions to queue actions to be implicitly allowed.`, Links: []string{ "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoWildcardsInPolicyDocumentsGoodExamples, BadExamples: terraformNoWildcardsInPolicyDocumentsBadExamples, Links: terraformNoWildcardsInPolicyDocumentsLinks, RemediationMarkdown: terraformNoWildcardsInPolicyDocumentsRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoWildcardsInPolicyDocumentsGoodExamples, BadExamples: cloudFormationNoWildcardsInPolicyDocumentsBadExamples, Links: cloudFormationNoWildcardsInPolicyDocumentsLinks, RemediationMarkdown: cloudFormationNoWildcardsInPolicyDocumentsRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, queue := range s.AWS.SQS.Queues { for _, policyDoc := range queue.Policies { var fail bool policy := policyDoc.Document.Parsed statements, _ := policy.Statements() for _, statement := range statements { effect, _ := statement.Effect() if effect != iamgo.EffectAllow { continue } actions, r := statement.Actions() for _, action := range actions { action = strings.ToLower(action) if action == "*" || action == "sqs:*" { fail = true results.Add( "Queue policy does not restrict actions to a known set.", policyDoc.Document.MetadataFromIamGo(statement.Range(), r), ) break } } } if !fail { results.AddPassed(&queue) } } } return }, )
View Source
var CheckQueueEncryptionUsesCMK = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0135", Provider: providers.AWSProvider, Service: "sqs", ShortCode: "queue-encryption-use-cmk", Summary: "SQS queue should be encrypted with a CMK.", Impact: "The SQS queue messages could be read if compromised. Key management is very limited when using default keys.", Resolution: "Encrypt SQS Queue with a customer-managed key", Explanation: `Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.`, Links: []string{ "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformQueueEncryptionUsesCMKGoodExamples, BadExamples: terraformQueueEncryptionUsesCMKBadExamples, Links: terraformQueueEncryptionUsesCMKLinks, RemediationMarkdown: terraformQueueEncryptionUsesCMKRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationQueueEncryptionUsesCMKGoodExamples, BadExamples: cloudFormationQueueEncryptionUsesCMKBadExamples, Links: cloudFormationQueueEncryptionUsesCMKLinks, RemediationMarkdown: cloudFormationQueueEncryptionUsesCMKRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, queue := range s.AWS.SQS.Queues { if queue.Metadata.IsUnmanaged() { continue } if queue.Encryption.KMSKeyID.EqualTo("alias/aws/sqs") { results.Add( "Queue is not encrypted with a customer managed key.", queue.Encryption.KMSKeyID, ) } else { results.AddPassed(&queue) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
Click to show internal directories.
Click to hide internal directories.