Skip to content

Commit

Permalink
Add query to check if MQ Broker is publicly accessible for CF Checkma…
Browse files Browse the repository at this point in the history
  • Loading branch information
joaomartinscx authored Mar 25, 2021
1 parent 3ba36a6 commit 3a9cb87
Show file tree
Hide file tree
Showing 7 changed files with 159 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"id": "68b6a789-82f8-4cfd-85de-e95332fe6a61",
"queryName": "MQ Broker Is Publicly Accessible",
"severity": "MEDIUM",
"category": "Insecure Configurations",
"descriptionText": "Check if any MQ Broker is not publicly accessible",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-publiclyaccessible",
"platform": "CloudFormation"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
package Cx

CxPolicy[result] {
document := input.document
resource = document[i].Resources[name]
resource.Type == "AWS::AmazonMQ::Broker"
properties := resource.Properties
object.get(properties, "PubliclyAccessible", "undefined") != "undefined"

properties.PubliclyAccessible

result := {
"documentId": input.document[i].id,
"searchKey": sprintf("Resources.%s.Properties.PubliclyAccessible", [name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("Resources.%s.Properties.PubliclyAccessible is false or undefined", [name]),
"keyActualValue": sprintf("Resources.%s.Properties.PubliclyAccessible is true", [name]),
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create a basic ActiveMQ broker"
Resources:
BasicBroker:
Type: "AWS::AmazonMQ::Broker"
Properties:
AutoMinorVersionUpgrade: "false"
BrokerName: MyBasicBroker
DeploymentMode: SINGLE_INSTANCE
EncryptionOptions:
UseAwsOwnedKey: true
EngineType: ActiveMQ
EngineVersion: "5.15.0"
HostInstanceType: mq.t2.micro
PubliclyAccessible: false
Users:
-
ConsoleAccess: "true"
Groups:
- MyGroup
Password:
Ref: "BrokerPassword"
Username:
Ref: "BrokerUsername"
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a basic ActiveMQ broker",
"Resources": {
"BasicBroker2": {
"Type": "AWS::AmazonMQ::Broker",
"Properties": {
"BrokerName": "MyBasicBroker",
"DeploymentMode": "SINGLE_INSTANCE",
"EncryptionOptions": {
"UseAwsOwnedKey": true
},
"EngineType": "ActiveMQ",
"EngineVersion": "5.15.0",
"HostInstanceType": "mq.t2.micro",
"Users": [
{
"ConsoleAccess": "true",
"Groups": [
"MyGroup"
],
"Password": {
"Ref": "BrokerPassword"
},
"Username": {
"Ref": "BrokerUsername"
}
}
],
"AutoMinorVersionUpgrade": "false"
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create a basic ActiveMQ broker"
Resources:
BasicBroker:
Type: "AWS::AmazonMQ::Broker"
Properties:
AutoMinorVersionUpgrade: "false"
BrokerName: MyBasicBroker
DeploymentMode: SINGLE_INSTANCE
EncryptionOptions:
UseAwsOwnedKey: true
EngineType: ActiveMQ
EngineVersion: "5.15.0"
HostInstanceType: mq.t2.micro
PubliclyAccessible: true
Users:
-
ConsoleAccess: "true"
Groups:
- MyGroup
Password:
Ref: "BrokerPassword"
Username:
Ref: "BrokerUsername"
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a basic ActiveMQ broker",
"Resources": {
"BasicBroker2": {
"Type": "AWS::AmazonMQ::Broker",
"Properties": {
"BrokerName": "MyBasicBroker",
"DeploymentMode": "SINGLE_INSTANCE",
"EncryptionOptions": {
"UseAwsOwnedKey": true
},
"EngineType": "ActiveMQ",
"EngineVersion": "5.15.0",
"HostInstanceType": "mq.t2.micro",
"Users": [
{
"ConsoleAccess": "true",
"Groups": [
"MyGroup"
],
"Password": {
"Ref": "BrokerPassword"
},
"Username": {
"Ref": "BrokerUsername"
}
}
],
"AutoMinorVersionUpgrade": "false",
"PubliclyAccessible": true
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
[
{
"queryName": "MQ Broker Is Publicly Accessible",
"severity": "MEDIUM",
"line": 15,
"fileName": "positive1.yaml"
},
{
"queryName": "MQ Broker Is Publicly Accessible",
"severity": "MEDIUM",
"line": 31,
"fileName": "positive2.json"
}
]

0 comments on commit 3a9cb87

Please sign in to comment.