AmazonMQ Broker Encryption Disabled
- Query id: 316278b3-87ac-444c-8f8f-a733a28da60f
- Query name: AmazonMQ Broker Encryption Disabled
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- CWE: 311
- URL: Github
Description¶
AmazonMQ Broker should have Encryption Options defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create a basic ActiveMQ broker"
Resources:
BasicBroker:
Type: "AWS::AmazonMQ::Broker"
Properties:
AutoMinorVersionUpgrade: "false"
BrokerName: MyBasicBroker
DeploymentMode: SINGLE_INSTANCE
EngineType: ActiveMQ
EngineVersion: "5.15.0"
HostInstanceType: mq.t2.micro
PubliclyAccessible: "true"
Users:
-
ConsoleAccess: "true"
Groups:
- MyGroup
Password:
Ref: "BrokerPassword"
Username:
Ref: "BrokerUsername"
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a basic ActiveMQ broker",
"Resources": {
"BasicBroker": {
"Type": "AWS::AmazonMQ::Broker",
"Properties": {
"HostInstanceType": "mq.t2.micro",
"PubliclyAccessible": "true",
"Users": [
{
"ConsoleAccess": "true",
"Groups": [
"MyGroup"
],
"Password": {
"Ref": "BrokerPassword"
},
"Username": {
"Ref": "BrokerUsername"
}
}
],
"AutoMinorVersionUpgrade": "false",
"BrokerName": "MyBasicBroker",
"DeploymentMode": "SINGLE_INSTANCE",
"EngineType": "ActiveMQ",
"EngineVersion": "5.15.0"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create a basic ActiveMQ broker"
Resources:
BasicBroker:
Type: "AWS::AmazonMQ::Broker"
Properties:
AutoMinorVersionUpgrade: "false"
BrokerName: MyBasicBroker
DeploymentMode: SINGLE_INSTANCE
EncryptionOptions:
UseAwsOwnedKey: true
EngineType: ActiveMQ
EngineVersion: "5.15.0"
HostInstanceType: mq.t2.micro
PubliclyAccessible: "true"
Users:
-
ConsoleAccess: "true"
Groups:
- MyGroup
Password:
Ref: "BrokerPassword"
Username:
Ref: "BrokerUsername"
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a basic ActiveMQ broker",
"Resources": {
"BasicBroker": {
"Type": "AWS::AmazonMQ::Broker",
"Properties": {
"BrokerName": "MyBasicBroker",
"DeploymentMode": "SINGLE_INSTANCE",
"EncryptionOptions": {
"UseAwsOwnedKey": true
},
"EngineType": "ActiveMQ",
"EngineVersion": "5.15.0",
"HostInstanceType": "mq.t2.micro",
"Users": [
{
"ConsoleAccess": "true",
"Groups": [
"MyGroup"
],
"Password": {
"Ref": "BrokerPassword"
},
"Username": {
"Ref": "BrokerUsername"
}
}
],
"AutoMinorVersionUpgrade": "false",
"PubliclyAccessible": "true"
}
}
}
}