fix: CSR Comments (encryption at rest, in transit, auth scheme)

Author: greynewell

lib/cell-stack.ts

@@ -5,7 +5,7 @@ import { SqsSubscription } from 'aws-cdk-lib/aws-sns-subscriptions';
 import { EventConsumer } from './eventConsumer';
 import { EventProducer } from './eventProducer';
 import { EventRouter } from './eventRouter';
-import { Queue } from 'aws-cdk-lib/aws-sqs';
+import { Queue, QueueEncryption } from 'aws-cdk-lib/aws-sqs';
 import { EventMonitoring } from './eventMonitoring';
 import { consumers } from 'stream';
 
@@ -37,7 +37,10 @@ export class CellStack extends cdk.Stack {
         this.consumers.forEach(consumer => {
             const target = this.router.targets.find(target => target.type == consumer.type)!;
 
-            const deadLetterQueue = new Queue(this, consumer.node.id + consumer.type + 'DeadLetterQueue');
+            const deadLetterQueue = new Queue(this, consumer.node.id + consumer.type + 'DeadLetterQueue', {
+                encryption: QueueEncryption.SQS_MANAGED,
+                enforceSSL: true
+            });
             target.topic.addSubscription(new SqsSubscription(consumer.queue, {
                 deadLetterQueue: deadLetterQueue
             }));

lib/eventConsumer.ts

@@ -1,6 +1,6 @@
 import { aws_iam, aws_lambda, Duration, PhysicalName } from "aws-cdk-lib";
 import { Metric } from "aws-cdk-lib/aws-cloudwatch";
-import { Queue } from "aws-cdk-lib/aws-sqs";
+import { Queue, QueueEncryption } from "aws-cdk-lib/aws-sqs";
 import { Construct } from "constructs";
 
 export const EventQueueConsumerEvents = ['ingestion', 'reconciliation', 'authorization', 'posting'] as const;
@@ -22,11 +22,15 @@ export class EventConsumer extends Construct {
         this.type = props.type;
 
         const deadLetterQueue = new Queue(this, id + 'DeadLetterQueue', {
-            queueName: PhysicalName.GENERATE_IF_NEEDED
+            queueName: PhysicalName.GENERATE_IF_NEEDED,
+            encryption: QueueEncryption.SQS_MANAGED,
+            enforceSSL: true
         });
 
         // create a queue with a dead letter queue attached
         this.queue = new Queue(this, id + 'EventsQueue', {
+            encryption: QueueEncryption.SQS_MANAGED,
+            enforceSSL: true,
             visibilityTimeout: Duration.seconds(30),
             deadLetterQueue: {
                 maxReceiveCount: 3,

lib/eventMonitoring.ts

@@ -8,6 +8,7 @@ import { Queue } from 'aws-cdk-lib/aws-sqs';
 import { EmailSubscription } from 'aws-cdk-lib/aws-sns-subscriptions';
 import { Topic } from 'aws-cdk-lib/aws-sns';
 import { ServicePrincipal } from 'aws-cdk-lib/aws-iam';
+import { Key } from 'aws-cdk-lib/aws-kms';
 
 export interface EventMonitoringProps {
   router: EventRouter;
@@ -332,7 +333,9 @@ export class EventMonitoring extends Construct {
 
     // Create SNS topic for alarms
     const alarmTopic = new Topic(this, 'AlarmTopic', {
-      displayName: 'Event Monitoring Alarms'
+      displayName: 'Event Monitoring Alarms',
+      enforceSSL: true,
+      masterKey: new Key(scope, id + "Key"),
     });
     // Add email subscription
     alarmTopic.addSubscription(new EmailSubscription('[email protected]'));

lib/eventProducer.ts

@@ -120,7 +120,9 @@ export class EventProducer extends Construct {
 
         // add request to all routes
         const businessEventPost: MethodOptions = {
-            // Change to your preferred type
+            // WARNING: For production APIs, we recommend an
+            // authorization strategy as a security best practice.
+            // We use IAM here as this is a sample API.
             authorizationType: AuthorizationType.IAM,
             requestParameters: {
                 "method.request.header.Authorization": true,

lib/eventRouter.ts

@@ -7,6 +7,7 @@ import { EventQueueConsumerEvents, EventQueueConsumerEventType } from "./eventCo
 import { Duration, PhysicalName, RemovalPolicy } from "aws-cdk-lib";
 import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs";
 import { Queue } from "aws-cdk-lib/aws-sqs";
+import { Key } from "aws-cdk-lib/aws-kms";
 
 export type EventRouterProps = {
 
@@ -101,6 +102,8 @@ export class EventRouter extends Construct {
         // Create the SNS topic
         const topic = new Topic(stack, name + 'Topic', {
             ...props,
+            enforceSSL: true,
+            masterKey: new Key(stack, name + "Key"),
             loggingConfigs: [{
                 protocol: LoggingProtocol.SQS,
                 successFeedbackRole: successFeedbackRole,