SQS with SSE disabled

Documentos > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQS with SSE disabled

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

Id: 12726829-93ed-4d51-9cbe-13423f4299e1

Cloud Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Encryption

Learn More

Provider Reference

Description

SQS queues should encrypt message contents at rest to prevent unauthorized disclosure if storage, backups, or snapshots are compromised and to meet data protection and compliance requirements.

In CloudFormation, AWS::SQS::Queue resources must either define Properties.KmsMasterKeyId (a customer-managed KMS key ID, ARN, or alias) or set Properties.SqsManagedSseEnabled to true to enable server-side encryption. Resources that omit KmsMasterKeyId and either omit SqsManagedSseEnabled or set it to false will be flagged.

Secure configurations:

MyQueue:
  Type: AWS::SQS::Queue
  Properties:
    SqsManagedSseEnabled: true

MyQueueWithKms:
  Type: AWS::SQS::Queue
  Properties:
    KmsMasterKeyId: arn:aws:kms:us-west-2:123456789012:key/EXAMPLE-KEY-ID

Compliant Code Examples

Resources:
  MyQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: "SampleQueue"
      KmsMasterKeyId: wewewewewewe
  MyQueue2:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: "SampleQueue"
      SqsManagedSseEnabled: true

{
  "Resources": {
    "MyQueue": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "QueueName": "SampleQueue",
        "KmsMasterKeyId": "wewewewewewe"
      }
    },
    "MyQueue2": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "QueueName": "SampleQueue",
        "SqsManagedSseEnabled": "true"
      }
    }
  }
}

Non-Compliant Code Examples

{
  "Resources": {
    "MyQueue": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "QueueName": "SampleQueue"
      }
    },
    "MyQueue2": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "QueueName": "SampleQueue",
        "SqsManagedSseEnabled": "false"
      }
    }
  }
}

Resources:
  MyQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: "SampleQueue"
  MyQueue2:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: "SampleQueue"
      SqsManagedSseEnabled: false