Skip to content
This repository has been archived by the owner on May 13, 2021. It is now read-only.

forward3d/garrison-agent-aws-sqs

Repository files navigation

Garrison Agent - AWS SQS

This is a part of the Garrison security project. This agent mainly provides compliance alerts and other basic checks.

Checks Provided

Function Name Description
check_dlq_retention Checks that the DeadLetterQueues have the max message retention period
check_encryption Checks that the queues have encryption enabled
check_redrive Checks for queues without a redrive policy (excluding those acting as one)

Installation & Example

Docker Hub - https://hub.docker.com/r/forward3d/garrison-agent-aws-sqs/

docker pull forward3d/garrison-agent-aws-sqs
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" forward3d/garrison-agent-aws-sqs check_encryption

AWS Authentication

As this requires access to the AWS API you will need this IAM policy as a minimum for it to operate correctly.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:ListQueues",
                "sqs:GetQueueAttributes"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

We recommend using EC2/ECS Task roles so that you don't need to send credentials into the container, however if you can't use those or want to send in specific Access Keys and Secret keys, please see the AWS Documentation as to how you do that.

Check Specific Configuration

Some checks provided by this agent have extra configuration options.

check_dlq_retention

Environmental Variable Default
GARRISON_SQS_MESSAGE_RETENTION_THRESHOLD 1209600 (14 days)