SQS queue server-side encryption should be enabled (AWS-managed keys)

Description

When using SQS queues to send and receive sensitive data, the message payloads should be encrypted using Server Side Encryption (SSE). SQS messages are encrypted using KMS keys.

Remediation Steps

AWS Console

  • Navigate to SQS.

  • Select an existing queue.

  • From Queue Actions, select Configure Queue.

  • Under Server-Side Encryption (SSE) Settings, check Use SSE.

  • Next to AWS KMS Customer Master Key (CMK), select a key.

  • Select Save Changes.

AWS CLI

  • Encrypt SQS Queue using a KMS key:

    • aws sqs set-queue-attributes --queue-url <url> --attributes '{"KmsMasterKeyId":"<key-id>","KmsDataKeyReusePeriodSeconds":"60"}'

Terraform

  • Ensure that the aws_sqs_queue kms_master_key_id field is set to the ID of an AWS-managed KMS key.

Example Configuration

resource "aws_sqs_queue" "example-queue" {
  name                              = "my-example-queue"
  kms_master_key_id                 = "${aws_kms_key.test-key.id}"
  kms_data_key_reuse_period_seconds = 300
}