SQS With SSE Disabled
- Query id: 9296f1cc-7a40-45de-bd41-f31745488a0e
- Query name: SQS With SSE Disabled
- Platform: Crossplane
- Severity: Medium
- Category: Encryption
- URL: Github
Description¶
Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
apiVersion: sqs.aws.crossplane.io/v1beta1
kind: Queue
metadata:
name: test-queue3
spec:
forProvider:
region: us-east-1
delaySeconds: 4
redrivePolicy:
deadLetterTargetArnRef:
name: test-queue2
maxReceiveCount: 1
providerConfigRef:
name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: sqs.aws.crossplane.io/v1beta1
kind: Queue
metadata:
name: test-queue4
spec:
forProvider:
region: us-east-1
delaySeconds: 4
redrivePolicy:
deadLetterTargetArnRef:
name: test-queue2
maxReceiveCount: 1
providerConfigRef:
name: example
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: sqs.aws.crossplane.io/v1beta1
kind: Queue
metadata:
name: test-queue
spec:
forProvider:
region: us-east-1
kmsMasterKeyId: KMS-KEY-ARN
delaySeconds: 4
redrivePolicy:
deadLetterTargetArnRef:
name: test-queue2
maxReceiveCount: 1
providerConfigRef:
name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: sqs.aws.crossplane.io/v1beta1
kind: Queue
metadata:
name: test-queue2
spec:
forProvider:
region: us-east-1
kmsMasterKeyId: KMS-KEY-ARN
delaySeconds: 4
redrivePolicy:
deadLetterTargetArnRef:
name: test-queue2
maxReceiveCount: 1
providerConfigRef:
name: example