SQS With SSE Disabled

  • Query id: 9296f1cc-7a40-45de-bd41-f31745488a0e
  • Query name: SQS With SSE Disabled
  • Platform: Crossplane
  • Severity: Medium
  • Category: Encryption
  • CWE: Ongoing
  • URL: Github

Description

Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: sqs.aws.crossplane.io/v1beta1
kind: Queue
metadata:
  name: test-queue3
spec:
  forProvider:
    region: us-east-1
    delaySeconds: 4
    redrivePolicy:
      deadLetterTargetArnRef:
        name: test-queue2
      maxReceiveCount: 1
  providerConfigRef:
    name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: sqs.aws.crossplane.io/v1beta1
        kind: Queue
        metadata:
          name: test-queue4
        spec:
          forProvider:
            region: us-east-1
            delaySeconds: 4
            redrivePolicy:
              deadLetterTargetArnRef:
                name: test-queue2
              maxReceiveCount: 1
          providerConfigRef:
            name: example

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: sqs.aws.crossplane.io/v1beta1
kind: Queue
metadata:
  name: test-queue
spec:
  forProvider:
    region: us-east-1
    kmsMasterKeyId: KMS-KEY-ARN
    delaySeconds: 4
    redrivePolicy:
      deadLetterTargetArnRef:
        name: test-queue2
      maxReceiveCount: 1
  providerConfigRef:
    name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: sqs.aws.crossplane.io/v1beta1
        kind: Queue
        metadata:
          name: test-queue2
        spec:
          forProvider:
            region: us-east-1
            kmsMasterKeyId: KMS-KEY-ARN
            delaySeconds: 4
            redrivePolicy:
              deadLetterTargetArnRef:
                name: test-queue2
              maxReceiveCount: 1
          providerConfigRef:
            name: example