# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
description: |
  ### Document Name - ASR-AFSBP_1.0.0_SQS.1

  ## What does this document do?
  This document enables encryption at rest using AWS KMS for SQS Queues.

  ## Input Parameters
  * Finding: (Required) Security Hub finding details JSON
  * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.

  ## Output Parameters
  * Remediation.Output

  ## Documentation Links
  * [AFSBP v1.0.0 SQS.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-sqs-1)
schemaVersion: '0.3'
assumeRole: '{{ AutomationAssumeRole }}'
parameters:
  AutomationAssumeRole:
    type: 'String'
    description: '(Required) The ARN of the role that allows Automation to perform the actions on your behalf.'
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'
  Finding:
    type: 'StringMap'
    description: 'The input from the Orchestrator Step function for the SQS.1 finding'
  KmsKeyArn:
    type: 'String'
    default: >-
      {{ssm:/Solutions/SO0111/CMK_REMEDIATION_ARN}}
    description: 'The ARN of the KMS key created by ASR for this remediation'
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):kms:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:(?:(?:alias/[A-Za-z0-9/-_])|(?:key/(?i:[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12})))$'
outputs:
- 'ParseInput.AffectedObject'
- 'Remediation.Output'
mainSteps:
- name: 'ParseInput'
  action: 'aws:executeScript'
  outputs:
    - Name: 'FindingId'
      Selector: '$.Payload.finding.Id'
      Type: 'String'
    - Name: 'ProductArn'
      Selector: '$.Payload.finding.ProductArn'
      Type: 'String'
    - Name: 'AffectedObject'
      Selector: '$.Payload.object'
      Type: 'StringMap'
    - Name: 'SQSQueueName'
      Selector: '$.Payload.resource_id'
      Type: 'String'
    - Name: 'RemediationRegion'
      Selector: '$.Payload.resource_region'
      Type: 'String'
    - Name: 'RemediationAccount'
      Selector: '$.Payload.account_id'
      Type: 'String'
  inputs:
    InputPayload:
      Finding: '{{Finding}}'
      parse_id_pattern: '^arn:(?:aws|aws-us-gov|aws-cn):sqs:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:([a-zA-Z0-9_-]{1,80}(?:\.fifo)?)$'
      expected_control_id:
      - 'SQS.1'
    Runtime: 'python3.8'
    Handler: 'parse_event'
    Script: |-
      %%SCRIPT=common/parse_input.py%%
- name: 'Remediation'
  action: 'aws:executeAutomation'
  isEnd: false
  inputs:
    DocumentName: 'ASR-EnableEncryptionForSQSQueue'
    TargetLocations:
    - Accounts: ['{{ ParseInput.RemediationAccount }}']
      Regions: ['{{ ParseInput.RemediationRegion }}']
      ExecutionRoleName: 'SO0111-EnableEncryptionForSQSQueue'
    RuntimeParameters:
      KmsKeyArn: '{{ KmsKeyArn }}'
      AutomationAssumeRole: 'arn:{{ global:AWS_PARTITION }}:iam::{{ global:ACCOUNT_ID }}:role/SO0111-EnableEncryptionForSQSQueue'
      SQSQueueName: '{{ ParseInput.SQSQueueName }}'
- name: 'UpdateFinding'
  action: 'aws:executeAwsApi'
  inputs:
    Service: 'securityhub'
    Api: 'BatchUpdateFindings'
    FindingIdentifiers:
    - Id: '{{ ParseInput.FindingId }}'
      ProductArn: '{{ ParseInput.ProductArn }}'
    Note:
      Text: 'Encryption enabled on SQS Queue'
      UpdatedBy: 'ASR-AFSBP_1.0.0_SQS.1'
    Workflow:
      Status: 'RESOLVED'
  isEnd: true