fix(cloudformation): accept SqsManagedSseEnabled for CKV_AWS_27#7588
Open
arpitjain099 wants to merge 1 commit into
Open
fix(cloudformation): accept SqsManagedSseEnabled for CKV_AWS_27#7588arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
CKV_AWS_27 only inspected Properties/KmsMasterKeyId, so a queue using native SQS-managed SSE (SqsManagedSseEnabled: true) was reported as FAILED even though it is encrypted. The Terraform check for the same ID already treats sqs_managed_sse_enabled as a valid alternative to a KMS key. Override scan_resource_conf to pass when SQS-managed SSE is enabled, then fall back to the existing KmsMasterKeyId logic. The CFN parser yields a bool for true/false but a (truthy) string for quoted values, so the string form is handled explicitly to keep SqsManagedSseEnabled: "false" failing. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
arpitjain099
requested a deployment
to
scan-security
GitHub Actions
Waiting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
Fixes #7381
CKV_AWS_27 for CloudFormation only inspects
Properties/KmsMasterKeyId, so anAWS::SQS::Queuethat relies on native SQS-managed SSE (SqsManagedSseEnabled: true) is reported as FAILED even though the queue is encrypted. The Terraform check for the same ID already acceptssqs_managed_sse_enabled, so this just brings the CloudFormation side to parity.The fix overrides
scan_resource_confto return PASSED when SQS-managed SSE is enabled, and otherwise falls back to the existingKmsMasterKeyIdlogic (same pattern as CKV_AWS_161 /RDSIAMAuthentication).One thing to call out on the typing: the CFN parser yields a real bool for
true/false, but a quoted value like"false"comes through as a (truthy) string node. That's the case James raised on the earlier attempt (#5870), which otherwise looked good. I picked that approach up and handled it explicitly, soSqsManagedSseEnabled: "false"still FAILS rather than slipping through on truthiness. I kept the change scoped to the false positive and didn't touch the no-property default behavior.Tests: added a PASSED fixture (
SqsManagedSseEnabled: true) and a FAILED fixture (SqsManagedSseEnabled: "false"), and bumped the expected counts. The existing KMS-key and empty-key cases are unchanged.Checklist: