feat(sqs): add enforceSSL property to enforce encryption of data in t…

…ransit (#22363) Enforcing encryption in transit is an [SQS best practice](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html#enforce-encryption-data-in-transit). It also appears in [cdk-nag](https://github.com/cdklabs/cdk-nag/blob/main/RULES.md) rule as [AwsSolutions-SQS4](https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#errors). `enforceSSL` property helps developers implement it easily. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Oct 7, 2022 · f1886cf · f1886cf
1 parent 614ba92
commit f1886cf
Show file tree

Hide file tree

Showing 8 changed files with 229 additions and 5 deletions.
diff --git a/packages/@aws-cdk/aws-sqs/README.md b/packages/@aws-cdk/aws-sqs/README.md
@@ -73,6 +73,18 @@ new sqs.Queue(this, 'Queue', {
 });
 ```
 
+## Encryption in transit
+
+If you want to enforce encryption of data in transit, set the `enforceSSL` property to `true`.
+A resource policy statement that allows only encrypted connections over HTTPS (TLS)
+will be added to the queue.
+
+```ts
+new sqs.Queue(this, 'Queue', {
+  enforceSSL: true,
+});
+```
+
 ## First-In-First-Out (FIFO) queues
 
 FIFO queues give guarantees on the order in which messages are dequeued, and have additional

diff --git a/packages/@aws-cdk/aws-sqs/lib/queue.ts b/packages/@aws-cdk/aws-sqs/lib/queue.ts
@@ -1,3 +1,4 @@
+import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
 import { Duration, RemovalPolicy, Stack, Token, ArnFormat } from '@aws-cdk/core';
 import { Construct } from 'constructs';
@@ -169,6 +170,14 @@ export interface QueueProps {
    * @default RemovalPolicy.DESTROY
    */
   readonly removalPolicy?: RemovalPolicy;
+
+  /**
+   * Enforce encryption of data in transit.
+   * @see https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html#enforce-encryption-data-in-transit
+   *
+   * @default false
+   */
+  readonly enforceSSL?: boolean;
 }
 
 /**
@@ -432,6 +441,11 @@ export class Queue extends QueueBase {
 
       throw new Error(`Unexpected 'encryptionType': ${encryption}`);
     }
+
+    // Enforce encryption of data in transit
+    if (props.enforceSSL) {
+      this.enforceSSLStatement();
+    }
   }
 
   /**
@@ -475,6 +489,22 @@ export class Queue extends QueueBase {
       fifoQueue,
     };
   }
+
+  /**
+   * Adds an iam statement to enforce encryption of data in transit.
+   */
+  private enforceSSLStatement() {
+    const statement = new iam.PolicyStatement({
+      actions: ['sqs:*'],
+      conditions: {
+        Bool: { 'aws:SecureTransport': 'false' },
+      },
+      effect: iam.Effect.DENY,
+      resources: [this.queueArn],
+      principals: [new iam.AnyPrincipal()],
+    });
+    this.addToResourcePolicy(statement);
+  }
 }
 
 interface FifoProps {

diff --git a/packages/@aws-cdk/aws-sqs/test/integ.sqs.ts b/packages/@aws-cdk/aws-sqs/test/integ.sqs.ts
@@ -28,6 +28,7 @@ const sqsManagedEncryptedQueue = new Queue(stack, 'SqsManagedEncryptedQueue', {
 const unencryptedQueue = new Queue(stack, 'UnencryptedQueue', {
   encryption: QueueEncryption.UNENCRYPTED,
 });
+const ssl = new Queue(stack, 'SSLQueue', { enforceSSL: true });
 
 const role = new Role(stack, 'Role', {
   assumedBy: new AccountRootPrincipal(),
@@ -39,6 +40,7 @@ fifo.grantConsumeMessages(role);
 highThroughputFifo.grantConsumeMessages(role);
 sqsManagedEncryptedQueue.grantConsumeMessages(role);
 unencryptedQueue.grantConsumeMessages(role);
+ssl.grantConsumeMessages(role);
 
 new CfnOutput(stack, 'QueueUrl', { value: queue.queueUrl });
 

diff --git a/packages/@aws-cdk/aws-sqs/test/sqs.integ.snapshot/aws-cdk-sqs.assets.json b/packages/@aws-cdk/aws-sqs/test/sqs.integ.snapshot/aws-cdk-sqs.assets.json
@@ -1,15 +1,15 @@
 {
   "version": "21.0.0",
   "files": {
-    "a660932c356f8eec80b4314b041c64311fd29803603b65a95351137afa8eba04": {
+    "7fd5f7d37f2f344aa43e18636af702436c91c871b1380d772857c431c603bb27": {
       "source": {
         "path": "aws-cdk-sqs.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "a660932c356f8eec80b4314b041c64311fd29803603b65a95351137afa8eba04.json",
+          "objectKey": "7fd5f7d37f2f344aa43e18636af702436c91c871b1380d772857c431c603bb27.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/packages/@aws-cdk/aws-sqs/test/sqs.integ.snapshot/aws-cdk-sqs.template.json b/packages/@aws-cdk/aws-sqs/test/sqs.integ.snapshot/aws-cdk-sqs.template.json
@@ -97,6 +97,44 @@
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"
   },
+  "SSLQueue4E9BF022": {
+   "Type": "AWS::SQS::Queue",
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "SSLQueuePolicy5ABFDF4F": {
+   "Type": "AWS::SQS::QueuePolicy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sqs:*",
+       "Condition": {
+        "Bool": {
+         "aws:SecureTransport": "false"
+        }
+       },
+       "Effect": "Deny",
+       "Principal": {
+        "AWS": "*"
+       },
+       "Resource": {
+        "Fn::GetAtt": [
+         "SSLQueue4E9BF022",
+         "Arn"
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "Queues": [
+     {
+      "Ref": "SSLQueue4E9BF022"
+     }
+    ]
+   }
+  },
   "Role1ABCC5F0": {
    "Type": "AWS::IAM::Role",
    "Properties": {
@@ -168,6 +206,12 @@
           "Arn"
          ]
         },
+        {
+         "Fn::GetAtt": [
+          "SSLQueue4E9BF022",
+          "Arn"
+         ]
+        },
         {
          "Fn::GetAtt": [
           "SqsManagedEncryptedQueue587679B3",

diff --git a/packages/@aws-cdk/aws-sqs/test/sqs.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-sqs/test/sqs.integ.snapshot/manifest.json
@@ -23,7 +23,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a660932c356f8eec80b4314b041c64311fd29803603b65a95351137afa8eba04.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/7fd5f7d37f2f344aa43e18636af702436c91c871b1380d772857c431c603bb27.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -81,6 +81,18 @@
             "data": "UnencryptedQueue57F92F9C"
           }
         ],
+        "/aws-cdk-sqs/SSLQueue/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "SSLQueue4E9BF022"
+          }
+        ],
+        "/aws-cdk-sqs/SSLQueue/Policy/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "SSLQueuePolicy5ABFDF4F"
+          }
+        ],
         "/aws-cdk-sqs/Role/Resource": [
           {
             "type": "aws:cdk:logicalId",

diff --git a/packages/@aws-cdk/aws-sqs/test/sqs.integ.snapshot/tree.json b/packages/@aws-cdk/aws-sqs/test/sqs.integ.snapshot/tree.json
@@ -9,7 +9,7 @@
         "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.1.108"
+          "version": "10.1.102"
         }
       },
       "aws-cdk-sqs": {
@@ -226,6 +226,79 @@
               "version": "0.0.0"
             }
           },
+          "SSLQueue": {
+            "id": "SSLQueue",
+            "path": "aws-cdk-sqs/SSLQueue",
+            "children": {
+              "Resource": {
+                "id": "Resource",
+                "path": "aws-cdk-sqs/SSLQueue/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::SQS::Queue",
+                  "aws:cdk:cloudformation:props": {}
+                },
+                "constructInfo": {
+                  "fqn": "@aws-cdk/aws-sqs.CfnQueue",
+                  "version": "0.0.0"
+                }
+              },
+              "Policy": {
+                "id": "Policy",
+                "path": "aws-cdk-sqs/SSLQueue/Policy",
+                "children": {
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "aws-cdk-sqs/SSLQueue/Policy/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::SQS::QueuePolicy",
+                      "aws:cdk:cloudformation:props": {
+                        "policyDocument": {
+                          "Statement": [
+                            {
+                              "Action": "sqs:*",
+                              "Condition": {
+                                "Bool": {
+                                  "aws:SecureTransport": "false"
+                                }
+                              },
+                              "Effect": "Deny",
+                              "Principal": {
+                                "AWS": "*"
+                              },
+                              "Resource": {
+                                "Fn::GetAtt": [
+                                  "SSLQueue4E9BF022",
+                                  "Arn"
+                                ]
+                              }
+                            }
+                          ],
+                          "Version": "2012-10-17"
+                        },
+                        "queues": [
+                          {
+                            "Ref": "SSLQueue4E9BF022"
+                          }
+                        ]
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "@aws-cdk/aws-sqs.CfnQueuePolicy",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "@aws-cdk/aws-sqs.QueuePolicy",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "@aws-cdk/aws-sqs.Queue",
+              "version": "0.0.0"
+            }
+          },
           "Role": {
             "id": "Role",
             "path": "aws-cdk-sqs/Role",
@@ -316,6 +389,12 @@
                                     "Arn"
                                   ]
                                 },
+                                {
+                                  "Fn::GetAtt": [
+                                    "SSLQueue4E9BF022",
+                                    "Arn"
+                                  ]
+                                },
                                 {
                                   "Fn::GetAtt": [
                                     "SqsManagedEncryptedQueue587679B3",
@@ -395,7 +474,7 @@
                 "path": "SqsTest/DefaultTest/Default",
                 "constructInfo": {
                   "fqn": "constructs.Construct",
-                  "version": "10.1.108"
+                  "version": "10.1.102"
                 }
               },
               "DeployAssert": {

diff --git a/packages/@aws-cdk/aws-sqs/test/sqs.test.ts b/packages/@aws-cdk/aws-sqs/test/sqs.test.ts
@@ -479,6 +479,51 @@ describe('queue encryption', () => {
   });
 });
 
+describe('encryption in transit', () => {
+  test('enforceSSL can be enabled', () => {
+    const stack = new Stack();
+    new sqs.Queue(stack, 'Queue', { enforceSSL: true });
+
+    Template.fromStack(stack).templateMatches({
+      'Resources': {
+        'Queue4A7E3555': {
+          'Type': 'AWS::SQS::Queue',
+          'UpdateReplacePolicy': 'Delete',
+          'DeletionPolicy': 'Delete',
+        },
+        'QueuePolicy25439813': {
+          'Type': 'AWS::SQS::QueuePolicy',
+          'Properties': {
+            'PolicyDocument': {
+              'Statement': [
+                {
+                  'Action': 'sqs:*',
+                  'Condition': {
+                    'Bool': {
+                      'aws:SecureTransport': 'false',
+                    },
+                  },
+                  'Effect': 'Deny',
+                  'Principal': {
+                    'AWS': '*',
+                  },
+                  'Resource': {
+                    'Fn::GetAtt': [
+                      'Queue4A7E3555',
+                      'Arn',
+                    ],
+                  },
+                },
+              ],
+              'Version': '2012-10-17',
+            },
+          },
+        },
+      },
+    });
+  });
+});
+
 test('test ".fifo" suffixed queues register as fifo', () => {
   const stack = new Stack();
   const queue = new sqs.Queue(stack, 'Queue', {