Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWS Security Hub - Detect SQS Queue lacking encryption at rest

AWS Security Hub - Detect SQS Queue lacking encryption at rest

Back
Id7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10
RulenameAWS Security Hub - Detect SQS Queue lacking encryption at rest
DescriptionThis query detects Amazon SQS queues without server-side encryption at rest enabled, using AWS Security Hub control SQS.1 findings.

Lack of encryption for SQS queues can expose sensitive message contents if underlying storage or backups are accessed by unauthorized parties.
SeverityMedium
TacticsImpact
TechniquesT1565.001
Required data connectorsAWSSecurityHub
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueueNotEncrypted.yaml
Version1.0.0
Arm template7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10.json
Deploy To Azure
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SQS.1"
      or tostring(ComplianceSecurityControlId) == "SQS.1"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsSqsQueue"
| extend QueueArn = tostring(Resource.Id)
| summarize TimeGenerated = max(TimeGenerated)
    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
       AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn

kind: Scheduled
customDetails:
  ComplianceControlId: ComplianceSecurityControlId
  FindingId: AwsSecurityFindingId
  Region: AwsRegion
alertDetailsOverride:
  alertDisplayNameFormat: SQS queue {{QueueArn}} not encrypted at rest
  alertDescriptionFormat: AWS Account {{AwsAccountId}} has an SQS queue ({{QueueArn}}) without server-side encryption enabled. Enable KMS encryption to protect message data at rest.
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AwsAccountId
    identifier: Name
  - columnName: AwsAccountId
    identifier: CloudAppAccountId
- entityType: CloudApplication
  fieldMappings:
  - columnName: QueueArn
    identifier: Name
description: |
  This query detects Amazon SQS queues without server-side encryption at rest enabled, using AWS Security Hub control SQS.1 findings.
  Lack of encryption for SQS queues can expose sensitive message contents if underlying storage or backups are accessed by unauthorized parties.  
severity: Medium
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1565.001
tags:
- AWS Foundational Security Best Practices v1.0.0
- NIST 800-53 r5
status: Available
tactics:
- Impact
name: AWS Security Hub - Detect SQS Queue lacking encryption at rest
id: 7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10
query: |
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/SQS.1"
        or tostring(ComplianceSecurityControlId) == "SQS.1"
  | mv-expand Resource = Resources
  | where tostring(Resource.Type) == "AwsSqsQueue"
  | extend QueueArn = tostring(Resource.Id)
  | summarize TimeGenerated = max(TimeGenerated)
      by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
         AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn  
requiredDataConnectors:
- dataTypes:
  - AWSSecurityHubFindings
  connectorId: AWSSecurityHub
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueueNotEncrypted.yaml
queryPeriod: 1h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has an SQS queue ({{QueueArn}}) without server-side encryption enabled. Enable KMS encryption to protect message data at rest.",
          "alertDisplayNameFormat": "SQS queue {{QueueArn}} not encrypted at rest"
        },
        "alertRuleTemplateName": "7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10",
        "customDetails": {
          "ComplianceControlId": "ComplianceSecurityControlId",
          "FindingId": "AwsSecurityFindingId",
          "Region": "AwsRegion"
        },
        "description": "This query detects Amazon SQS queues without server-side encryption at rest enabled, using AWS Security Hub control SQS.1 findings.\nLack of encryption for SQS queues can expose sensitive message contents if underlying storage or backups are accessed by unauthorized parties.\n",
        "displayName": "AWS Security Hub - Detect SQS Queue lacking encryption at rest",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AwsAccountId",
                "identifier": "Name"
              },
              {
                "columnName": "AwsAccountId",
                "identifier": "CloudAppAccountId"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "QueueArn",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueueNotEncrypted.yaml",
        "query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/SQS.1\"\n      or tostring(ComplianceSecurityControlId) == \"SQS.1\"\n| mv-expand Resource = Resources\n| where tostring(Resource.Type) == \"AwsSqsQueue\"\n| extend QueueArn = tostring(Resource.Id)\n| summarize TimeGenerated = max(TimeGenerated)\n    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n       AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1565.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "tags": [
          "AWS Foundational Security Best Practices v1.0.0",
          "NIST 800-53 r5"
        ],
        "techniques": [
          "T1565"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}