diff --git a/rules/S6330/javascript/rule.adoc b/rules/S6330/javascript/rule.adoc index 0b507d4394b..d59940664f4 100644 --- a/rules/S6330/javascript/rule.adoc +++ b/rules/S6330/javascript/rule.adoc @@ -12,7 +12,9 @@ For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html[` ---- import { Queue } from 'aws-cdk-lib/aws-sqs'; -new Queue(this, 'example'); // Sensitive +new Queue(this, 'example', { + encryption: QueueEncryption.UNENCRYPTED // Sensitive +}); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.html[`aws-cdk-lib.aws-sqs.CfnQueue`] @@ -21,7 +23,9 @@ For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.htm ---- import { CfnQueue } from 'aws-cdk-lib/aws-sqs'; -new CfnQueue(this, 'example'); // Sensitive +new CfnQueue(this, 'example', { + sqsManagedSseEnabled: false // Sensitive +}); ---- == Compliant Solution @@ -33,7 +37,7 @@ For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html[` import { Queue } from 'aws-cdk-lib/aws-sqs'; new Queue(this, 'example', { - encryption: QueueEncryption.KMS_MANAGED + encryption: QueueEncryption.SQS_MANAGED }); ---- @@ -43,12 +47,8 @@ For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.htm ---- import { CfnQueue } from 'aws-cdk-lib/aws-sqs'; -const encryptionKey = new Key(this, 'example', { - enableKeyRotation: true, -}); - new CfnQueue(this, 'example', { - kmsMasterKeyId: encryptionKey.keyId + sqsManagedSseEnabled: true }); ---- @@ -62,27 +62,22 @@ ifdef::env-github,rspecator-view[] === Message -For CfnQueue: - -* Omitting "kmsMasterKeyId" disables SQS queues encryption. Make sure it is safe here. - For Queue: -* Omitting "encryption" disables SQS queues encryption. Make sure it is safe here. * Setting "encryption" to "QueueEncryption.UNENCRYPTED" disables SQS queues encryption. Make sure it is safe here. -=== Highlighting +For CfnQueue: + +* Setting "sqsManagedSseEnabled" to "false" disables SQS queues encryption. Make sure it is safe here. -* Highlight the initializer function if it does not contain the third argument `props` or `props` is set to `undefined`. +=== Highlighting -For Topic: +For Queue: -* Highlight the `props` object if it does not contain the property `encryption`. * Highlight the `encryption` attribute if it is set to `QueueEncryption.UNENCRYPTED`. For CfnQueue: -* Highlight the `props` object if it does not contain the property `kmsMasterKeyId`. -* Highlight the `kmsMasterKeyId` attribute if it is set to `undefined`. +* Highlight the `sqsManagedSseEnabled` attribute if it is set to `false`. endif::env-github,rspecator-view[] \ No newline at end of file diff --git a/rules/S6330/python/rule.adoc b/rules/S6330/python/rule.adoc index 7c712863746..e36f9c8cb62 100644 --- a/rules/S6330/python/rule.adoc +++ b/rules/S6330/python/rule.adoc @@ -6,23 +6,6 @@ include::../recommended.adoc[] == Sensitive Code Example -For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html[aws_cdk.aws_sqs.Queue]: - -[source,python] ----- -from aws_cdk import ( - aws_sqs as sqs -) - -class QueueStack(Stack): - def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: - super().__init__(scope, construct_id, **kwargs) - sqs.Queue( # Sensitive, unencrypted by default - self, - "example" - ) ----- - For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.html[aws_cdk.aws_sqs.CfnQueue]: [source,python] @@ -34,32 +17,15 @@ from aws_cdk import ( class CfnQueueStack(Stack): def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) - sqs.CfnQueue( # Sensitive, unencrypted by default + sqs.CfnQueue( self, - "example" + "example", + sqs_managed_sse_enabled=False # Sensitive, unencrypted ) ---- == Compliant Solution -For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html[aws_cdk.aws_sqs.Queue]: - -[source,python] ----- -from aws_cdk import ( - aws_sqs as sqs -) - -class QueueStack(Stack): - def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: - super().__init__(scope, construct_id, **kwargs) - sqs.Queue( - self, - "example", - encryption=sqs.QueueEncryption.KMS_MANAGED - ) ----- - For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.CfnQueue.html[aws_cdk.aws_sqs.CfnQueue]: [source,python] @@ -71,11 +37,10 @@ from aws_cdk import ( class CfnQueueStack(Stack): def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) - my_key = kms.Key(self, "key") sqs.CfnQueue( self, "example", - kms_master_key_id=my_key.key_id + sqs_managed_sse_enabled=True ) ---- @@ -90,14 +55,10 @@ ifdef::env-github,rspecator-view[] === Message -For CfnQueue: - -* Omitting "kms_master_key_id" disables SQS queues encryption. Make sure it is safe here. - -For Queue: +* Setting "sqs_managed_sse_enabled" to "False" disables SQS queues encryption. Make sure it is safe here. -* Omitting "encryption" disables SQS queues encryption. Make sure it is safe here. -* Setting "encryption" to "QueueEncryption.UNENCRYPTED" disables SQS queues encryption. Make sure it is safe here. +=== Highlighting +* Highlight the `sqs_managed_sse_enabled` attribute if it is set to `False`. endif::env-github,rspecator-view[]