SQS With SSE Disabled

  • Query id: 12726829-93ed-4d51-9cbe-13423f4299e1
  • Query name: SQS With SSE Disabled
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Encryption
  • CWE: 319
  • URL: Github

Description

Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  MyQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: "SampleQueue"
  MyQueue2:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: "SampleQueue"
      SqsManagedSseEnabled: false
Positive test num. 2 - json file
{
  "Resources": {
    "MyQueue": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "QueueName": "SampleQueue"
      }
    },
    "MyQueue2": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "QueueName": "SampleQueue",
        "SqsManagedSseEnabled": "false"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  MyQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: "SampleQueue"
      KmsMasterKeyId: wewewewewewe
  MyQueue2:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: "SampleQueue"
      SqsManagedSseEnabled: true
Negative test num. 2 - json file
{
  "Resources": {
    "MyQueue": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "QueueName": "SampleQueue",
        "KmsMasterKeyId": "wewewewewewe"
      }
    },
    "MyQueue2": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "QueueName": "SampleQueue",
        "SqsManagedSseEnabled": "true"
      }
    }
  }
}