SQS With SSE Disabled
- Query id: e1e7b278-2a8b-49bd-a26e-66a7f70b17eb
- Query name: SQS With SSE Disabled
- Platform: Ansible
- Severity: Medium
- Category: Encryption
- CWE: 319
- URL: Github
Description¶
Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: Create SQS queue with redrive policy
community.aws.sqs_queue:
name: my-queue
region: ap-southeast-2
default_visibility_timeout: 120
message_retention_period: 86400
maximum_message_size: 1024
delivery_delay: 30
receive_message_wait_time: 20
policy: "{{ json_dict }}"
redrive_policy:
maxReceiveCount: 5
deadLetterTargetArn: arn:aws:sqs:eu-west-1:123456789012:my-dead-queue
- name: Drop redrive policy
community.aws.sqs_queue:
name: my-queue
region: ap-southeast-2
redrive_policy: {}
- name: Create FIFO queue
community.aws.sqs_queue:
name: fifo-queue
region: ap-southeast-2
queue_type: fifo
content_based_deduplication: yes
- name: Tag queue
community.aws.sqs_queue:
name: fifo-queue
region: ap-southeast-2
tags:
example: SomeValue
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Configure Encryption, automatically uses a new data key every hour
community.aws.sqs_queue:
name: fifo-queue
region: ap-southeast-2
kms_master_key_id: alias/MyQueueKey
kms_data_key_reuse_period_seconds: 3600
- name: Delete SQS queue
community.aws.sqs_queue:
name: my-queue
region: ap-southeast-2
state: absent