forked from prowler-cloud/prowler
-
Notifications
You must be signed in to change notification settings - Fork 0
/
check_extra728
37 lines (34 loc) · 1.66 KB
/
check_extra728
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/env bash
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
CHECK_ID_extra728="7.28"
CHECK_TITLE_extra728="[extra728] Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark)"
CHECK_SCORED_extra728="NOT_SCORED"
CHECK_TYPE_extra728="EXTRA"
CHECK_ALTERNATE_check728="extra728"
extra728(){
for regx in $REGIONS; do
LIST_SQS=$($AWSCLI sqs list-queues $PROFILE_OPT --region $regx --query QueueUrls --output text |grep -v ^None)
if [[ $LIST_SQS ]]; then
for queue in $LIST_SQS; do
# check if the policy has KmsMasterKeyId therefore SSE enabled
SSE_ENABLED_QUEUE=$($AWSCLI sqs get-queue-attributes --queue-url $queue $PROFILE_OPT --region $regx --attribute-names All --query Attributes.KmsMasterKeyId --output text|grep -v ^None)
if [[ $SSE_ENABLED_QUEUE ]]; then
textPass "$regx: SQS queue $queue is using Server Side Encryption" "$regx"
else
textFail "$regx: SQS queue $queue is not using Server Side Encryption" "$regx"
fi
done
else
textInfo "$regx: No SQS queues found" "$regx"
fi
done
}