Ensure Amazon SQS queues enforce Server-Side Encryption (SSE)

Server-side encryption (SSE) lets you transmit sensitive data in encrypted queues. SSE protects the contents of messages in queues using keys managed in AWS Key Management Service (AWS KMS).

Risk Level: High
Cloud Entity: Simple Queue Service (SQS)
CloudGuard Rule ID: D9.TF.AWS.CRY.44
Covered by Spectral: No
Category: Database


aws_sqs_queue should have kms_master_key_id


Perform the following to set server side encryption to your queue:

  1. Sign in to the Amazon SQS console at https://console.aws.amazon.com/sqs/
  2. Choose Create New Queue.
  3. On the Create New Queue page, ensure that you're in the correct region and then type the Queue Name.
  4. Standard is selected by default. Choose FIFO.
  5. Choose Configure Queue, and then choose Use SSE.
  6. Specify the customer master key (CMK) ID.
  7. Choose Create Queue.

From CLI
aws sqs set-queue-attributes --queue-url <Queue url> --attributes KmsMasterKeyId=<CMK key name>

CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html

Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

Compliance Frameworks

  • Terraform AWS CIS Foundations