Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(sqs): add enforceSSL property to enforce encryption of data in transit #22363

Merged
merged 6 commits into from
Oct 7, 2022
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions packages/@aws-cdk/aws-sqs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,18 @@ new sqs.Queue(this, 'Queue', {
});
```

## Encryption in transit

If you want to enforce encryption of data in transit, set the `enforceSSL` property to `true`.
A resource policy statement that allows only encrypted connections over HTTPS (TLS)
will be added to the queue.

```ts
new sqs.Queue(this, 'Queue', {
enforceSSL: true,
});
```

## First-In-First-Out (FIFO) queues

FIFO queues give guarantees on the order in which messages are dequeued, and have additional
Expand Down
30 changes: 30 additions & 0 deletions packages/@aws-cdk/aws-sqs/lib/queue.ts
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import * as iam from '@aws-cdk/aws-iam';
import * as kms from '@aws-cdk/aws-kms';
import { Duration, RemovalPolicy, Stack, Token, ArnFormat } from '@aws-cdk/core';
import { Construct } from 'constructs';
Expand Down Expand Up @@ -169,6 +170,14 @@ export interface QueueProps {
* @default RemovalPolicy.DESTROY
*/
readonly removalPolicy?: RemovalPolicy;

/**
* Enforce encryption of data in transit.
* @see https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html#enforce-encryption-data-in-transit
*
* @default false
*/
readonly enforceSSL?: boolean;
}

/**
Expand Down Expand Up @@ -404,6 +413,11 @@ export class Queue extends QueueBase {

throw new Error(`Unexpected 'encryptionType': ${encryption}`);
}

// Enforce encryption of data in transit
if (props.enforceSSL) {
this.enforceSSLStatement();
}
}

/**
Expand Down Expand Up @@ -447,6 +461,22 @@ export class Queue extends QueueBase {
fifoQueue,
};
}

/**
* Adds an iam statement to enforce encryption of data in transit.
*/
private enforceSSLStatement() {
const statement = new iam.PolicyStatement({
actions: ['sqs:*'],
conditions: {
Bool: { 'aws:SecureTransport': 'false' },
},
effect: iam.Effect.DENY,
resources: [this.queueArn],
principals: [new iam.AnyPrincipal()],
});
this.addToResourcePolicy(statement);
}
}

interface FifoProps {
Expand Down
45 changes: 45 additions & 0 deletions packages/@aws-cdk/aws-sqs/test/sqs.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,51 @@ describe('queue encryption', () => {
});
});

describe('encryption in transit', () => {
test('enforceSSL can be enabled', () => {
const stack = new Stack();
new sqs.Queue(stack, 'Queue', { enforceSSL: true });

Template.fromStack(stack).templateMatches({
'Resources': {
'Queue4A7E3555': {
'Type': 'AWS::SQS::Queue',
'UpdateReplacePolicy': 'Delete',
'DeletionPolicy': 'Delete',
},
'QueuePolicy25439813': {
'Type': 'AWS::SQS::QueuePolicy',
'Properties': {
'PolicyDocument': {
'Statement': [
{
'Action': 'sqs:*',
'Condition': {
'Bool': {
'aws:SecureTransport': 'false',
},
},
'Effect': 'Deny',
'Principal': {
'AWS': '*',
},
'Resource': {
'Fn::GetAtt': [
'Queue4A7E3555',
'Arn',
],
},
},
],
'Version': '2012-10-17',
},
},
},
},
});
});
});

test('test ".fifo" suffixed queues register as fifo', () => {
const stack = new Stack();
const queue = new sqs.Queue(stack, 'Queue', {
Expand Down