Create rule S6327: Using unencrypted SNS topics is security-sensitive (#198)
This commit is contained in:
github-actions[bot]
GitHub
parent
9eec54bb8d
commit
89c01fb164
6
rules/S6327/ask-yourself.adoc
Normal file
6
rules/S6327/ask-yourself.adoc
Normal file
@ -0,0 +1,6 @@
|
||||
== Ask Yourself Whether
|
||||
|
||||
* The topic contains sensitive data that could cause harm when leaked.
|
||||
* There are compliance requirements for the service to store data encrypted.
|
||||
|
||||
There is a risk if you answered yes to any of those questions.
|
||||
2
rules/S6327/cloudformation/metadata.json
Normal file
2
rules/S6327/cloudformation/metadata.json
Normal file
@ -0,0 +1,2 @@
|
||||
{
|
||||
}
|
||||
37
rules/S6327/cloudformation/rule.adoc
Normal file
37
rules/S6327/cloudformation/rule.adoc
Normal file
@ -0,0 +1,37 @@
|
||||
include::../description.adoc[]
|
||||
|
||||
include::../ask-yourself.adoc[]
|
||||
|
||||
include::../recommended.adoc[]
|
||||
|
||||
== Sensitive Code Example
|
||||
|
||||
For https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html[AWS::SNS::Topic]:
|
||||
|
||||
----
|
||||
AWSTemplateFormatVersion: '2010-09-09'
|
||||
Resources:
|
||||
Topic: # Sensitive, encryption disabled by default
|
||||
Type: AWS::SNS::Topic
|
||||
Properties:
|
||||
DisplayName: "unencrypted_topic"
|
||||
----
|
||||
|
||||
== Compliant Solution
|
||||
|
||||
For https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html[AWS::SNS::Topic]:
|
||||
|
||||
----
|
||||
AWSTemplateFormatVersion: '2010-09-09'
|
||||
Resources:
|
||||
Topic:
|
||||
Type: AWS::SNS::Topic
|
||||
Properties:
|
||||
DisplayName: "encrypted_topic"
|
||||
KmsMasterKeyId:
|
||||
Fn::GetAtt:
|
||||
- TestKey
|
||||
- KeyId
|
||||
----
|
||||
|
||||
include::../see.adoc[]
|
||||
1
rules/S6327/description.adoc
Normal file
1
rules/S6327/description.adoc
Normal file
@ -0,0 +1 @@
|
||||
Amazon Simple Notification Service (SNS) is a managed messaging service for application-to-application (A2A) and application-to-person (A2P) communication. SNS topics allows publisher systems to fanout messages to a large number of subscriber systems. Amazon SNS allows to encrypt messages when they are received. In the case that adversaries gain physical access to the storage medium or otherwise leak a message they are not able to access the data.
|
||||
38
rules/S6327/metadata.json
Normal file
38
rules/S6327/metadata.json
Normal file
@ -0,0 +1,38 @@
|
||||
{
|
||||
"title": "Using unencrypted SNS topics is security-sensitive",
|
||||
"type": "SECURITY_HOTSPOT",
|
||||
"status": "ready",
|
||||
"remediation": {
|
||||
"func": "Constant\/Issue",
|
||||
"constantCost": "10min"
|
||||
},
|
||||
"tags": [
|
||||
"cwe",
|
||||
"owasp-a3",
|
||||
"owasp-a6"
|
||||
],
|
||||
"extra": {
|
||||
"coveredLanguages": [
|
||||
|
||||
],
|
||||
"replacementRules": [
|
||||
|
||||
]
|
||||
},
|
||||
"defaultSeverity": "Major",
|
||||
"ruleSpecification": "RSPEC-6327",
|
||||
"sqKey": "S6327",
|
||||
"scope": "All",
|
||||
"securityStandards": {
|
||||
"CWE": [
|
||||
311
|
||||
],
|
||||
"OWASP": [
|
||||
"A3",
|
||||
"A6"
|
||||
]
|
||||
},
|
||||
"defaultQualityProfiles": [
|
||||
"Sonar way"
|
||||
]
|
||||
}
|
||||
3
rules/S6327/recommended.adoc
Normal file
3
rules/S6327/recommended.adoc
Normal file
@ -0,0 +1,3 @@
|
||||
== Recommended Secure Coding Practices
|
||||
|
||||
It's recommended to encrypt SNS topics that contain sensitive information. Encryption and decryption are handled transparently by SNS, so no further modifications to the application are necessary.
|
||||
7
rules/S6327/see.adoc
Normal file
7
rules/S6327/see.adoc
Normal file
@ -0,0 +1,7 @@
|
||||
== See
|
||||
|
||||
* https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html[Encryption at rest]
|
||||
* https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/[Encrypting messages published to Amazon SNS with AWS KMS]
|
||||
* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
||||
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
||||
* https://cwe.mitre.org/data/definitions/311.html[MITRE, CWE-311] - Missing Encryption of Sensitive Data
|
||||
2
rules/S6327/terraform/metadata.json
Normal file
2
rules/S6327/terraform/metadata.json
Normal file
@ -0,0 +1,2 @@
|
||||
{
|
||||
}
|
||||
28
rules/S6327/terraform/rule.adoc
Normal file
28
rules/S6327/terraform/rule.adoc
Normal file
@ -0,0 +1,28 @@
|
||||
include::../description.adoc[]
|
||||
|
||||
include::../ask-yourself.adoc[]
|
||||
|
||||
include::../recommended.adoc[]
|
||||
|
||||
== Sensitive Code Example
|
||||
|
||||
For https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic[aws_sns_topic]:
|
||||
|
||||
----
|
||||
resource "aws_sns_topic" "topic" { # Sensitive, encryption disabled by default
|
||||
name = "sns-unencrypted"
|
||||
}
|
||||
----
|
||||
|
||||
== Compliant Solution
|
||||
|
||||
For https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic[aws_sns_topic]:
|
||||
|
||||
----
|
||||
resource "aws_sns_topic" "topic" {
|
||||
name = "sns-encrypted"
|
||||
kms_master_key_id = aws_kms_key.enc_key.key_id
|
||||
}
|
||||
----
|
||||
|
||||
include::../see.adoc[]
|
||||
Loading…
x
Reference in New Issue
Block a user