This is a part of the Garrison security project. This agent mainly provides compliance alerts and other basic checks.
| Function Name | Description |
|---|---|
check_dlq_retention |
Checks that the DeadLetterQueues have the max message retention period |
check_encryption |
Checks that the queues have encryption enabled |
check_redrive |
Checks for queues without a redrive policy (excluding those acting as one) |
Docker Hub - https://hub.docker.com/r/forward3d/garrison-agent-aws-sqs/
docker pull forward3d/garrison-agent-aws-sqs
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" forward3d/garrison-agent-aws-sqs check_encryption
As this requires access to the AWS API you will need this IAM policy as a minimum for it to operate correctly.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:ListQueues",
"sqs:GetQueueAttributes"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
We recommend using EC2/ECS Task roles so that you don't need to send credentials into the container, however if you can't use those or want to send in specific Access Keys and Secret keys, please see the AWS Documentation as to how you do that.
Some checks provided by this agent have extra configuration options.
| Environmental Variable | Default |
|---|---|
GARRISON_SQS_MESSAGE_RETENTION_THRESHOLD |
1209600 (14 days) |