AWS Security Hub - Detect SQS Queue lacking encryption at rest
Id | 7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10 |
Rulename | AWS Security Hub - Detect SQS Queue lacking encryption at rest |
Description | This query detects Amazon SQS queues without server-side encryption at rest enabled, using AWS Security Hub control SQS.1 findings. Lack of encryption for SQS queues can expose sensitive message contents if underlying storage or backups are accessed by unauthorized parties. |
Severity | Medium |
Tactics | Impact |
Techniques | T1565.001 |
Required data connectors | AWSSecurityHub |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueueNotEncrypted.yaml |
Version | 1.0.0 |
Arm template | 7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10.json |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SQS.1"
or tostring(ComplianceSecurityControlId) == "SQS.1"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsSqsQueue"
| extend QueueArn = tostring(Resource.Id)
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn
tactics:
- Impact
name: AWS Security Hub - Detect SQS Queue lacking encryption at rest
id: 7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10
requiredDataConnectors:
- connectorId: AWSSecurityHub
dataTypes:
- AWSSecurityHubFindings
query: |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SQS.1"
or tostring(ComplianceSecurityControlId) == "SQS.1"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsSqsQueue"
| extend QueueArn = tostring(Resource.Id)
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn
relevantTechniques:
- T1565.001
description: |
This query detects Amazon SQS queues without server-side encryption at rest enabled, using AWS Security Hub control SQS.1 findings.
Lack of encryption for SQS queues can expose sensitive message contents if underlying storage or backups are accessed by unauthorized parties.
triggerOperator: gt
queryPeriod: 1h
severity: Medium
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AwsAccountId
- identifier: CloudAppAccountId
columnName: AwsAccountId
entityType: Account
- fieldMappings:
- identifier: Name
columnName: QueueArn
entityType: CloudApplication
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueueNotEncrypted.yaml
version: 1.0.0
alertDetailsOverride:
alertDisplayNameFormat: SQS queue {{QueueArn}} not encrypted at rest
alertDescriptionFormat: AWS Account {{AwsAccountId}} has an SQS queue ({{QueueArn}}) without server-side encryption enabled. Enable KMS encryption to protect message data at rest.
triggerThreshold: 0
tags:
- AWS Foundational Security Best Practices v1.0.0
- NIST 800-53 r5
kind: Scheduled
queryFrequency: 1h
status: Available
customDetails:
ComplianceControlId: ComplianceSecurityControlId
Region: AwsRegion
FindingId: AwsSecurityFindingId
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "AWS Account {{AwsAccountId}} has an SQS queue ({{QueueArn}}) without server-side encryption enabled. Enable KMS encryption to protect message data at rest.",
"alertDisplayNameFormat": "SQS queue {{QueueArn}} not encrypted at rest"
},
"alertRuleTemplateName": "7b8c5e2d-6f1c-4a1f-9e2a-3c5f7a8b9c10",
"customDetails": {
"ComplianceControlId": "ComplianceSecurityControlId",
"FindingId": "AwsSecurityFindingId",
"Region": "AwsRegion"
},
"description": "This query detects Amazon SQS queues without server-side encryption at rest enabled, using AWS Security Hub control SQS.1 findings.\nLack of encryption for SQS queues can expose sensitive message contents if underlying storage or backups are accessed by unauthorized parties.\n",
"displayName": "AWS Security Hub - Detect SQS Queue lacking encryption at rest",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AwsAccountId",
"identifier": "Name"
},
{
"columnName": "AwsAccountId",
"identifier": "CloudAppAccountId"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "QueueArn",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SQSQueueNotEncrypted.yaml",
"query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/SQS.1\"\n or tostring(ComplianceSecurityControlId) == \"SQS.1\"\n| mv-expand Resource = Resources\n| where tostring(Resource.Type) == \"AwsSqsQueue\"\n| extend QueueArn = tostring(Resource.Id)\n| summarize TimeGenerated = max(TimeGenerated)\n by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n AwsSecurityFindingId, ComplianceSecurityControlId, QueueArn\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1565.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"tags": [
"AWS Foundational Security Best Practices v1.0.0",
"NIST 800-53 r5"
],
"techniques": [
"T1565"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}