SQS queue server-side encryption should be enabled (AWS-managed keys)


When using SQS queues to send and receive sensitive data, the message payloads should be encrypted using Server Side Encryption (SSE). SQS messages are encrypted using KMS keys.

Console Remediation Steps

  • Navigate to SQS.

  • Select an existing queue.

  • From Queue Actions, select Configure Queue.

  • Under Server-Side Encryption (SSE) Settings, check Use SSE.

  • Next to AWS KMS Customer Master Key (CMK), select a key.

  • Select Save Changes.

CLI Remediation Steps

  • Encrypt SQS Queue using a KMS key:

    • aws sqs set-queue-attributes --queue-url <url> --attributes '{"KmsMasterKeyId":"<key-id>","KmsDataKeyReusePeriodSeconds":"60"}'