Enable the use of KMS key on AWS::SNS::Topic & AWS::SQS::Queue #168
Description
Is your feature request related to a problem? Please describe.
Feature request.
We use Trivy on our CI an the v0.6.3 trips the following detections:
AVD-AWS-0095 (HIGH): Topic does not have encryption enabled.
═════════════════════════════════════════════════════════════════════════════════════════════════
Topics should be encrypted to protect their contents.
See https://avd.aquasec.com/misconfig/avd-aws-0095
─────────────────────────────────────────────────────────────────────────────────────────────────
assets/v0.6.3/template.yaml:291-294
─────────────────────────────────────────────────────────────────────────────────────────────────
291 ┌ AlarmsSNSTopic:
292 │ Type: AWS::SNS::Topic
293 │ Properties:
294 └ TopicName: !Sub ${AWS::StackName}-Alarms
─────────────────────────────────────────────────────────────────────────────────────────────────
AVD-AWS-0096 (HIGH): Queue is not encrypted
═════════════════════════════════════════════════════════════════════════════════════════════════
Queues should be encrypted to protect queue contents.
See https://avd.aquasec.com/misconfig/avd-aws-0096
─────────────────────────────────────────────────────────────────────────────────────────────────
assets/v0.6.3/template.yaml:243-253
─────────────────────────────────────────────────────────────────────────────────────────────────
243 ┌ S3NotificationsQueue:
244 │ Type: AWS::SQS::Queue
245 │ Properties:
246 │ # Use crafted queue name to avoid circular dependency with RedriveAllowPolicy
247 │ QueueName: !Sub ${AWS::StackName}-S3NotificationsQueue
248 │ ReceiveMessageWaitTimeSeconds: !Ref SQSLongPollingMaxSeconds
249 │ VisibilityTimeout: !Ref SQSVisibilityTimeout
250 │ MessageRetentionPeriod: 43200
251 └ RedrivePolicy:
...
─────────────────────────────────────────────────────────────────────────────────────────────────
AVD-AWS-0096 (HIGH): Queue is not encrypted
═════════════════════════════════════════════════════════════════════════════════════════════════
Queues should be encrypted to protect queue contents.
See https://avd.aquasec.com/misconfig/avd-aws-0096
─────────────────────────────────────────────────────────────────────────────────────────────────
assets/v0.6.3/template.yaml:273-290
─────────────────────────────────────────────────────────────────────────────────────────────────
273 ┌ SQSDeadLetterQueue:
274 │ Type: AWS::SQS::Queue
275 │ Properties:
276 │ QueueName: !Sub ${AWS::StackName}-S3NotificationsDLQ
277 │ # Keep messages during 1 day for troubleshooting purposes and redrive.
278 │ MessageRetentionPeriod: 86400
279 │ RedriveAllowPolicy:
280 │ redrivePermission: byQueue
281 └ # Hand-crafted ARN to avoid circular dependency
...
─────────────────────────────────────────────────────────────────────────────────────────────────
Describe the solution you'd like
It would be nice if we could pass a KMS key to use as CloudFormation parameter.
Describe alternatives you've considered
None, I understand the content of the messages isn't very critical (i understand they're only file creation notifications, not file content).
However for ticking compliance checkbox that would be nice as these findings are of "HIGH" priority.
Additional context
n/a