typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue
returntocorpAuthor
unknown
Download Count*
License
Queue $X is missing encryption at rest. Add "encryption: $Y.QueueEncryption.KMS" or "encryption: $Y.QueueEncryption.KMS_MANAGED" to the queue props to enable encryption at rest for the queue.
Run Locally
Run in CI
Defintion
rules:
- id: awscdk-sqs-unencryptedqueue
message: 'Queue $X is missing encryption at rest. Add "encryption:
$Y.QueueEncryption.KMS" or "encryption: $Y.QueueEncryption.KMS_MANAGED" to
the queue props to enable encryption at rest for the queue.'
metadata:
category: security
cwe:
- "CWE-311: Missing Encryption of Sensitive Data"
technology:
- AWS-CDK
references:
- https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html
owasp:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
subcategory:
- vuln
likelihood: LOW
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- ts
severity: WARNING
pattern-either:
- patterns:
- pattern-inside: |
import {Queue} from '@aws-cdk/aws-sqs'
...
- pattern: const $X = new Queue(...)
- pattern-not: >
const $X = new Queue(..., {..., encryption:
QueueEncryption.KMS_MANAGED, ...})
- pattern-not: >
const $X = new Queue(..., {..., encryption: QueueEncryption.KMS,
...})
- patterns:
- pattern-inside: |
import * as $Y from '@aws-cdk/aws-sqs'
...
- pattern: const $X = new $Y.Queue(...)
- pattern-not: >
const $X = new $Y.Queue(..., {..., encryption:
$Y.QueueEncryption.KMS_MANAGED, ...})
- pattern-not: >
const $X = new $Y.Queue(..., {..., encryption:
$Y.QueueEncryption.KMS, ...})
Examples
awscdk-sqs-unencryptedqueue.ts
import * as cdk from '@aws-cdk/core';
import * as sqs from '@aws-cdk/aws-sqs';
import * as rename_sqs from '@aws-cdk/aws-sqs';
import {Queue, QueueEncryption} from '@aws-cdk/aws-sqs';
export class Stack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// ruleid:awscdk-sqs-unencryptedqueue
const unencryptedQueue1 = new sqs.Queue(this, 'unecryptedQueue1')
// ruleid:awscdk-sqs-unencryptedqueue
const unencryptedQueue2 = new sqs.Queue(this, 'unencryptedQueue2', {
encryption: sqs.QueueEncryption.UNENCRYPTED
})
//ok:awscdk-sqs-unencryptedqueue
const encryptedQueue1 = new sqs.Queue(this, 'encryptedQueue', {
encryption: sqs.QueueEncryption.KMS_MANAGED
})
//ok:awscdk-sqs-unencryptedqueue
const encryptedQueue2 = new sqs.Queue(this, 'encryptedQueue', {
encryption: sqs.QueueEncryption.KMS
})
// ruleid:awscdk-sqs-unencryptedqueue
const unencryptedQueue1RenamedImport = new rename_sqs.Queue(this, 'unencryptedQueue')
// ruleid:awscdk-sqs-unencryptedqueue
const unencryptedQueue2RenamedImport = new rename_sqs.Queue(this, 'unencryptedQueue2', {
encryption: rename_sqs.QueueEncryption.UNENCRYPTED
})
//ok:awscdk-sqs-unencryptedqueue
const encryptedQueue1RenamedImport = new rename_sqs.Queue(this, 'encryptedQueue', {
encryption: rename_sqs.QueueEncryption.KMS_MANAGED
})
//ok:awscdk-sqs-unencryptedqueue
const encryptedQueue2RenamedImport = new rename_sqs.Queue(this, 'encryptedQueue', {
encryption: rename_sqs.QueueEncryption.KMS
})
// ruleid:awscdk-sqs-unencryptedqueue
const unencryptedQueue1DirectImport = new Queue(this, 'unencryptedQueue')
// ruleid:awscdk-sqs-unencryptedqueue
const unencryptedQueue2DirectImport = new Queue(this, 'unencryptedQueue2', {
encryption: QueueEncryption.UNENCRYPTED
})
//ok:awscdk-sqs-unencryptedqueue
const encryptedQueue1DirectImport = new Queue(this, 'encryptedQueue', {
encryption: QueueEncryption.KMS_MANAGED
})
//ok:awscdk-sqs-unencryptedqueue
const encryptedQueue2DirectImport = new Queue(this, 'encryptedQueue', {
encryption: QueueEncryption.KMS
})
}
}
Short Link: https://sg.run/d23P