SQS queue server-side encryption should be enabled with KMS keys

Description

When using SQS queues to send and receive sensitive data, message payloads should be encrypted using server-side encryption with keys managed in KMS (SSE-KMS). Using SQS owned keys (SSE-SQS) is also an option, but lacks the benefits of using KMS, including viewing key policies, auditing usage, and rotating cryptographic material.

Remediation Steps

AWS Console

  • Navigate to SQS.

  • Select an existing queue.

  • From Queue Actions, select Configure Queue.

  • Under Server-Side Encryption (SSE) Settings, check Use SSE.

  • Next to AWS KMS Customer Master Key (CMK), select a key.

  • Select Save Changes.

AWS CLI

  • Encrypt SQS Queue using a KMS key:

    • aws sqs set-queue-attributes --queue-url <url> --attributes '{"KmsMasterKeyId":"<key-id>","KmsDataKeyReusePeriodSeconds":"60"}'

Terraform

  • Ensure that the aws_sqs_queue kms_master_key_id field is set to the ID of an AWS-managed KMS key.

Example Configuration

resource "aws_sqs_queue" "example-queue" {
  name                              = "my-example-queue"
  kms_master_key_id                 = "${aws_kms_key.test-key.id}"
  kms_data_key_reuse_period_seconds = 300
}