Ensure Amazon SQS queues enforce Server-Side Encryption (SSE)

Server-side encryption (SSE) lets you transmit sensitive data in encrypted queues. SSE protects the contents of messages in queues using SQS-owned encryption keys (SSE-SQS) or keys managed in the AWS Key Management Service (SSE-KMS).

Risk Level: High
Cloud Entity: Simple Queue Service (SQS)
CloudGuard Rule ID: D9.AWS.CRY.44
Covered by Spectral: Yes
Category: Database

GSL LOGIC

Sqs should have sqsManagedSseEnabled=true or cryptoKey.enabled=true

REMEDIATION

From Portal

  1. Go to 'Amazon SQS' queues
  2. Under each unencrypted queue, go to the 'Encryption' tab and press 'Edit'
  3. Under 'Encryption' set 'Server-side encryption' to 'Enabled'
  4. Set the 'Encryption key type' and 'Save'
    Note: If 'SSE-KMS' key type was choosen, make sure the key is not disabled.

From TF
For 'SSE-SQS' managed encryption, set 'sqs_managed_sse_enabled' to 'true':

resource "aws_sqs_queue" "queue_example" {
	..
	sqs_managed_sse_enabled = true
	..
}

For 'SSE-KMS' encryption, set the 'kms_master_key_id' property:

resource "aws_sqs_queue" "queue_example" {
	..
	kms_master_key_id = "KMS-MASTER-KEY-ID"
	..
}

From Command Line
For 'SSE-SQS' managed encryption, run:

aws sqs set-queue-attributes --queue-url QUEUE-URL --attributes SqsManagedSseEnabled=true

For 'SSE-KMS' encryption, run:

aws sqs set-queue-attributes --queue-url QUEUE-URL --attributes KmsMasterKeyId=KMS-MASTER-KEY-ID

References

  1. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html

Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset