diff --git a/rules/S6327/ask-yourself.adoc b/rules/S6327/ask-yourself.adoc new file mode 100644 index 0000000000..6178ef3234 --- /dev/null +++ b/rules/S6327/ask-yourself.adoc @@ -0,0 +1,6 @@ +== Ask Yourself Whether + +* The topic contains sensitive data that could cause harm when leaked. +* There are compliance requirements for the service to store data encrypted. + +There is a risk if you answered yes to any of those questions. diff --git a/rules/S6327/cloudformation/metadata.json b/rules/S6327/cloudformation/metadata.json new file mode 100644 index 0000000000..7a73a41bfd --- /dev/null +++ b/rules/S6327/cloudformation/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S6327/cloudformation/rule.adoc b/rules/S6327/cloudformation/rule.adoc new file mode 100644 index 0000000000..71c9aef308 --- /dev/null +++ b/rules/S6327/cloudformation/rule.adoc @@ -0,0 +1,37 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example + +For https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html[AWS::SNS::Topic]: + +---- +AWSTemplateFormatVersion: '2010-09-09' +Resources: + Topic: # Sensitive, encryption disabled by default + Type: AWS::SNS::Topic + Properties: + DisplayName: "unencrypted_topic" +---- + +== Compliant Solution + +For https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html[AWS::SNS::Topic]: + +---- +AWSTemplateFormatVersion: '2010-09-09' +Resources: + Topic: + Type: AWS::SNS::Topic + Properties: + DisplayName: "encrypted_topic" + KmsMasterKeyId: + Fn::GetAtt: + - TestKey + - KeyId +---- + +include::../see.adoc[] diff --git a/rules/S6327/description.adoc b/rules/S6327/description.adoc new file mode 100644 index 0000000000..9a08404a52 --- /dev/null +++ b/rules/S6327/description.adoc @@ -0,0 +1 @@ +Amazon Simple Notification Service (SNS) is a managed messaging service for application-to-application (A2A) and application-to-person (A2P) communication. SNS topics allows publisher systems to fanout messages to a large number of subscriber systems. Amazon SNS allows to encrypt messages when they are received. In the case that adversaries gain physical access to the storage medium or otherwise leak a message they are not able to access the data. diff --git a/rules/S6327/metadata.json b/rules/S6327/metadata.json new file mode 100644 index 0000000000..f221987846 --- /dev/null +++ b/rules/S6327/metadata.json @@ -0,0 +1,38 @@ +{ + "title": "Using unencrypted SNS topics is security-sensitive", + "type": "SECURITY_HOTSPOT", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "10min" + }, + "tags": [ + "cwe", + "owasp-a3", + "owasp-a6" + ], + "extra": { + "coveredLanguages": [ + + ], + "replacementRules": [ + + ] + }, + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-6327", + "sqKey": "S6327", + "scope": "All", + "securityStandards": { + "CWE": [ + 311 + ], + "OWASP": [ + "A3", + "A6" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ] +} diff --git a/rules/S6327/recommended.adoc b/rules/S6327/recommended.adoc new file mode 100644 index 0000000000..619707c6c6 --- /dev/null +++ b/rules/S6327/recommended.adoc @@ -0,0 +1,3 @@ +== Recommended Secure Coding Practices + +It's recommended to encrypt SNS topics that contain sensitive information. Encryption and decryption are handled transparently by SNS, so no further modifications to the application are necessary. diff --git a/rules/S6327/see.adoc b/rules/S6327/see.adoc new file mode 100644 index 0000000000..5c1818f696 --- /dev/null +++ b/rules/S6327/see.adoc @@ -0,0 +1,7 @@ +== See + +* https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html[Encryption at rest] +* https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/[Encrypting messages published to Amazon SNS with AWS KMS] +* https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure +* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* https://cwe.mitre.org/data/definitions/311.html[MITRE, CWE-311] - Missing Encryption of Sensitive Data diff --git a/rules/S6327/terraform/metadata.json b/rules/S6327/terraform/metadata.json new file mode 100644 index 0000000000..7a73a41bfd --- /dev/null +++ b/rules/S6327/terraform/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S6327/terraform/rule.adoc b/rules/S6327/terraform/rule.adoc new file mode 100644 index 0000000000..0bb60f4415 --- /dev/null +++ b/rules/S6327/terraform/rule.adoc @@ -0,0 +1,28 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example + +For https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic[aws_sns_topic]: + +---- +resource "aws_sns_topic" "topic" { # Sensitive, encryption disabled by default + name = "sns-unencrypted" +} +---- + +== Compliant Solution + +For https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic[aws_sns_topic]: + +---- +resource "aws_sns_topic" "topic" { + name = "sns-encrypted" + kms_master_key_id = aws_kms_key.enc_key.key_id +} +---- + +include::../see.adoc[]