SNS Topic Without KmsMasterKeyId
- Query id: 9d13b150-a2ab-42a1-b6f4-142e41f81e52
- Query name: SNS Topic Without KmsMasterKeyId
- Platform: CloudFormation
- Severity: Medium
- Category: Secret Management
- URL: Github
Description¶
KmsMasterKeyId attribute should not be undefined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MySNSTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint:
Fn::GetAtt:
- "MyQueue1"
- "Arn"
Protocol: "sqs"
- Endpoint:
Fn::GetAtt:
- "MyQueue2"
- "Arn"
Protocol: "sqs"
TopicName: "SampleTopic"
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"MySNSTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [
{
"Endpoint": {
"Fn::GetAtt": [
"MyQueue1",
"Arn"
]
},
"Protocol": "sqs"
},
{
"Endpoint": {
"Fn::GetAtt": [
"MyQueue2",
"Arn"
]
},
"Protocol": "sqs"
}
],
"TopicName": "SampleTopic"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MySNSTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint:
Fn::GetAtt:
- "MyQueue1"
- "Arn"
Protocol: "sqs"
- Endpoint:
Fn::GetAtt:
- "MyQueue2"
- "Arn"
Protocol: "sqs"
TopicName: "SampleTopic"
KmsMasterKeyId: "kmsMasterKeyId"
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"MySNSTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [
{
"Endpoint": {
"Fn::GetAtt": [
"MyQueue1",
"Arn"
]
},
"Protocol": "sqs"
},
{
"Endpoint": {
"Fn::GetAtt": [
"MyQueue2",
"Arn"
]
},
"Protocol": "sqs"
}
],
"TopicName": "SampleTopic",
"KmsMasterKeyId": "kmsMasterKeyId"
}
}
}
}