SQS queue server-side encryption should be enabled with KMS keys¶
Description¶
When using SQS queues to send and receive sensitive data, message payloads should be encrypted using server-side encryption with keys managed in KMS (SSE-KMS). Using SQS owned keys (SSE-SQS) is also an option, but lacks the benefits of using KMS, including viewing key policies, auditing usage, and rotating cryptographic material.
Remediation Steps¶
AWS Console¶
Navigate to SQS.
Select an existing queue.
From Queue Actions, select Configure Queue.
Under Server-Side Encryption (SSE) Settings, check Use SSE.
Next to AWS KMS Customer Master Key (CMK), select a key.
Select Save Changes.
AWS CLI¶
Encrypt SQS Queue using a KMS key:
aws sqs set-queue-attributes --queue-url <url> --attributes '{"KmsMasterKeyId":"<key-id>","KmsDataKeyReusePeriodSeconds":"60"}'
Terraform¶
Ensure that the aws_sqs_queue
kms_master_key_id
field is set to the ID of an AWS-managed KMS key.
Example Configuration¶
resource "aws_sqs_queue" "example-queue" {
name = "my-example-queue"
kms_master_key_id = "${aws_kms_key.test-key.id}"
kms_data_key_reuse_period_seconds = 300
}