-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(cloudformation): Adding Sse property to SQS Encryption check #5870
base: main
Are you sure you want to change the base?
Conversation
Opened PR for this already #5870 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to check what types those properties are, they should be a string and a boolean but they might not be. Other it looks perfect!
Thanks James, I was going to do just that except I was curious what the stance is here in general. If
That being said, I will make the updates to check the types and return |
|
The more I think about this the more I feel like checking for type is inconsistent from what is being done in the terraform check for this same check ID. If I check for whether these properties get a specific type, aren't we just validating the CFT/resource at that point? I don't feel like that makes a whole lot of sense based on the majority of the other checks in here. |
if you don't check the types, this valid CFN will pass your check when it should fail:
Also i think because the default is now to auto enable SSE your case test_SQSQueueEncryption-FAILED2.yml should now be a pass. |
Hi @bakosa, are you planning to finish the work on this PR? Your efforts are greatly appreciated. |
Yeah, I can take a look this week. I just opened another issue curious thought there too! |
…t SqsManagedSseEnabled true if nether passed in
Finally got back to this and pushed updates suggested by @JamesWoolfenden |
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
This PR enhances the
CKV_AWS_27
check to handle theSqsManagedSseEnabled
property.Note that AWS by default now enables SSE to newly created SQS queues.
However, this check will still make sure queues are explicitly setting ether KMS or SSE since existing queues won't be encrypted.I was not sure if we should use a yaml graph based check for this, but I thought re-defining an entire check would be a bit much/have unintended consequences.
Another thing to note is like any
BaseResourceValueCheck
this check won't really handle unknowns if the template is not valid.Fixes # (5869)
Description
Read above
Fix
How does someone fix the issue in code and/or in runtime?
Pass KMS Key ID to encrypt via KmsMasterKeyId (which will set SSE to false) or set the SqsManagedSseEnabled to
true
Checklist: