Modify rule S6330: Default Queue encryption is now SSE-SQS (APPSEC-33…

…9) (#2626) * Default Queue encryption is now SSE-SQS * FIx typo
SonarSource · Sep 2, 2024 · 22b1c62 · 22b1c62
1 parent 2783df8
commit 22b1c62
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 65 deletions.
diff --git a/rules/S6330/javascript/rule.adoc b/rules/S6330/javascript/rule.adoc
@@ -12,7 +12,9 @@ For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html[`
 ----
 import { Queue } from 'aws-cdk-lib/aws-sqs';
 
-new Queue(this, 'example'); // Sensitive
+new Queue(this, 'example', {
+    encryption: QueueEncryption.UNENCRYPTED // Sensitive
+});
 ----
 
 For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.html[`aws-cdk-lib.aws-sqs.CfnQueue`]
@@ -21,7 +23,9 @@ For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.htm
 ----
 import { CfnQueue } from 'aws-cdk-lib/aws-sqs';
 
-new CfnQueue(this, 'example'); // Sensitive
+new CfnQueue(this, 'example', {
+    sqsManagedSseEnabled: false // Sensitive
+});
 ----
 
 == Compliant Solution
@@ -33,7 +37,7 @@ For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html[`
 import { Queue } from 'aws-cdk-lib/aws-sqs';
 
 new Queue(this, 'example', {
-    encryption: QueueEncryption.KMS_MANAGED
+    encryption: QueueEncryption.SQS_MANAGED
 });
 ----
 
@@ -43,12 +47,8 @@ For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.htm
 ----
 import { CfnQueue } from 'aws-cdk-lib/aws-sqs';
 
-const encryptionKey = new Key(this, 'example', {
-    enableKeyRotation: true,
-});
-
 new CfnQueue(this, 'example', {
-    kmsMasterKeyId: encryptionKey.keyId
+    sqsManagedSseEnabled: true
 });
 ----
 
@@ -62,27 +62,22 @@ ifdef::env-github,rspecator-view[]
 
 === Message
 
-For CfnQueue:
-
-* Omitting "kmsMasterKeyId" disables SQS queues encryption. Make sure it is safe here.
-
 For Queue:
 
-* Omitting "encryption" disables SQS queues encryption. Make sure it is safe here.
 * Setting "encryption" to "QueueEncryption.UNENCRYPTED" disables SQS queues encryption. Make sure it is safe here.
 
-=== Highlighting
+For CfnQueue:
+
+* Setting "sqsManagedSseEnabled" to "false" disables SQS queues encryption. Make sure it is safe here.
 
-* Highlight the initializer function if it does not contain the third argument `props` or `props` is set to `undefined`.
+=== Highlighting
 
-For Topic: 
+For Queue: 
 
-* Highlight the `props` object if it does not contain the property `encryption`.
 * Highlight the `encryption` attribute if it is set to `QueueEncryption.UNENCRYPTED`.
 
 For CfnQueue: 
 
-* Highlight the `props` object if it does not contain the property `kmsMasterKeyId`.
-* Highlight the `kmsMasterKeyId` attribute if it is set to `undefined`.
+* Highlight the `sqsManagedSseEnabled` attribute if it is set to `false`.
 
 endif::env-github,rspecator-view[]
diff --git a/rules/S6330/python/rule.adoc b/rules/S6330/python/rule.adoc
@@ -6,23 +6,6 @@ include::../recommended.adoc[]
 
 == Sensitive Code Example
 
-For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html[aws_cdk.aws_sqs.Queue]:
-
-[source,python]
-----
-from aws_cdk import (
-    aws_sqs as sqs
-)
-
-class QueueStack(Stack):
-    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
-        super().__init__(scope, construct_id, **kwargs)
-        sqs.Queue( # Sensitive, unencrypted by default
-            self,
-            "example"
-        )
-----
-
 For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.html[aws_cdk.aws_sqs.CfnQueue]:
 
 [source,python]
@@ -34,32 +17,15 @@ from aws_cdk import (
 class CfnQueueStack(Stack):
     def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
         super().__init__(scope, construct_id, **kwargs)
-        sqs.CfnQueue( # Sensitive, unencrypted by default
+        sqs.CfnQueue(
             self,
-            "example"
+            "example",
+            sqs_managed_sse_enabled=False # Sensitive, unencrypted
         )
 ----
 
 == Compliant Solution
 
-For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html[aws_cdk.aws_sqs.Queue]:
-
-[source,python]
-----
-from aws_cdk import (
-    aws_sqs as sqs
-)
-
-class QueueStack(Stack):
-    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
-        super().__init__(scope, construct_id, **kwargs)
-        sqs.Queue(
-            self,
-            "example",
-            encryption=sqs.QueueEncryption.KMS_MANAGED
-        )
-----
-
 For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.html[aws_cdk.aws_sqs.CfnQueue]:
 
 [source,python]
@@ -71,11 +37,10 @@ from aws_cdk import (
 class CfnQueueStack(Stack):
     def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
         super().__init__(scope, construct_id, **kwargs)
-        my_key = kms.Key(self, "key")
         sqs.CfnQueue(
             self,
             "example",
-            kms_master_key_id=my_key.key_id
+            sqs_managed_sse_enabled=True
         )
 ----
 
@@ -90,14 +55,10 @@ ifdef::env-github,rspecator-view[]
 
 === Message
 
-For CfnQueue:
-
-* Omitting "kms_master_key_id" disables SQS queues encryption. Make sure it is safe here.
-
-For Queue:
+* Setting "sqs_managed_sse_enabled" to "False" disables SQS queues encryption. Make sure it is safe here.
 
-* Omitting "encryption" disables SQS queues encryption. Make sure it is safe here.
-* Setting "encryption" to "QueueEncryption.UNENCRYPTED" disables SQS queues encryption. Make sure it is safe here.
+=== Highlighting
 
+* Highlight the `sqs_managed_sse_enabled` attribute if it is set to `False`.
 
 endif::env-github,rspecator-view[]