This product is not supported for your selected
Datadog site. (
).
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Id: 12726829-93ed-4d51-9cbe-13423f4299e1
Cloud Provider: AWS
Platform: CloudFormation
Severity: Medium
Category: Encryption
Learn More
Description
SQS queues should encrypt message contents at rest to prevent unauthorized disclosure if storage, backups, or snapshots are compromised and to meet data protection and compliance requirements.
In CloudFormation, AWS::SQS::Queue resources must either define Properties.KmsMasterKeyId (a customer-managed KMS key ID, ARN, or alias) or set Properties.SqsManagedSseEnabled to true to enable server-side encryption. Resources that omit KmsMasterKeyId and either omit SqsManagedSseEnabled or set it to false will be flagged.
Secure configurations:
MyQueue:
Type: AWS::SQS::Queue
Properties:
SqsManagedSseEnabled: true
MyQueueWithKms:
Type: AWS::SQS::Queue
Properties:
KmsMasterKeyId: arn:aws:kms:us-west-2:123456789012:key/EXAMPLE-KEY-ID
Compliant Code Examples
Resources:
MyQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: "SampleQueue"
KmsMasterKeyId: wewewewewewe
MyQueue2:
Type: AWS::SQS::Queue
Properties:
QueueName: "SampleQueue"
SqsManagedSseEnabled: true
{
"Resources": {
"MyQueue": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "SampleQueue",
"KmsMasterKeyId": "wewewewewewe"
}
},
"MyQueue2": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "SampleQueue",
"SqsManagedSseEnabled": "true"
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"MyQueue": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "SampleQueue"
}
},
"MyQueue2": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "SampleQueue",
"SqsManagedSseEnabled": "false"
}
}
}
}
Resources:
MyQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: "SampleQueue"
MyQueue2:
Type: AWS::SQS::Queue
Properties:
QueueName: "SampleQueue"
SqsManagedSseEnabled: false
