Detection: SQS Queue Created with Encryption at Rest Disabled
Overview
Detect when an Amazon SQS queue was created without encryption at rest enabled. SQS queues without encryption store data in plaintext, increasing the risk of unauthorized access and compromising sensitive messages. Enabling encryption ensures secure message storage and aligns with best practices for data protection.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.sqs_queue_created_with_encryption_at_rest_disabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.sqs_queue_created_with_encryption_at_rest_disabled --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,coalesce(response_elements ->> 'queueUrl', request_parameters ->> 'queueUrl') as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_name = 'CreateQueue' and (request_parameters -> 'attributes' ->> 'KmsMasterKeyId') is null and error_code is null
order by event_time desc;