Risk Level: High
Cloud Entity: Simple Queue Service (SQS)
CloudGuard Rule ID: D9.AWS.CRY.44
Covered by Spectral: Yes
Category: Database

GSL LOGIC

Sqs should have sqsManagedSseEnabled=true or cryptoKey.enabled=true

REMEDIATION

From Portal

Go to 'Amazon SQS' queues
Under each unencrypted queue, go to the 'Encryption' tab and press 'Edit'
Under 'Encryption' set 'Server-side encryption' to 'Enabled'
Set the 'Encryption key type' and 'Save'
Note: If 'SSE-KMS' key type was choosen, make sure the key is not disabled.

From TF
For 'SSE-SQS' managed encryption, set 'sqs_managed_sse_enabled' to 'true':

resource "aws_sqs_queue" "queue_example" {
	..
	sqs_managed_sse_enabled = true
	..
}

For 'SSE-KMS' encryption, set the 'kms_master_key_id' property:

resource "aws_sqs_queue" "queue_example" {
	..
	kms_master_key_id = "KMS-MASTER-KEY-ID"
	..
}

From Command Line
For 'SSE-SQS' managed encryption, run:

aws sqs set-queue-attributes --queue-url QUEUE-URL --attributes SqsManagedSseEnabled=true

For 'SSE-KMS' encryption, run:

aws sqs set-queue-attributes --queue-url QUEUE-URL --attributes KmsMasterKeyId=KMS-MASTER-KEY-ID

References

Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

Compliance Frameworks

AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST
AWS HITRUST v11.0.0
AWS ITSG-33
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS PCI-DSS 4.0
AWS Security Risk Management
CloudGuard AWS All Rules Ruleset