Ensure that AWS SQS is encrypted using Customer Managed keys instead of AWS-owned CMKs

AWS SQS should be encrypted using Customer Managed keys, instead of AWS-owned CMKs. This is required in order to meet encryption regulatory requirements of Server-Side encryption for sensitive data that may be stored in the SQS.

Risk Level: Low
Cloud Entity: Simple Queue Service (SQS)
CloudGuard Rule ID: D9.AWS.CRY.52
Covered by Spectral: Yes
Category: Database

GSL LOGIC

Sqs where cryptoKey.enabled=true should have cryptoKey.isCustomerManaged=true

REMEDIATION

From Portal
Perform the following to set at-rest encryption using Customer Managed key:

  1. Log in to the AWS Management Console.
  2. Open the Amazon SQS console.
  3. Open a Queue and click Edit at the top right corner.
  4. Expand Encryption and select Enabled.
  5. Enter a Customer managed key and click Save.

From TF

resource "aws_sqs_queue" "example" {
	name                              = "terraform-example-queue"
	+ kms_master_key_id                 = "Customer_Managed_Key"
	+ kms_data_key_reuse_period_seconds = VALUE
	...
}

From Command Line

aws sqs set-queue-attributes --queue-url QUEUE_URL --attributes KmsMasterKeyId=Customer_Managed_Key

References

  1. https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
  2. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html

Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset