Ensure that AWS SQS is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's

AWS SQS should be encrypted using AWS Managed Customer Master Key (CMK), instead of AWS-owned CMK. This is required in order to meet encryption regulatory requirements of Server-Side encryption for sensitive data that may be stored in the SQS. In addition, encrypting SQS queues with AWS-managed CMK allows you to view the CMK and its key policy and also audit the encryption/decryption events by examining the SQS API calls using CloudTrail.

Risk Level: Low
Cloud Entity: Simple Queue Service (SQS)
CloudGuard Rule ID: D9.TF.AWS.CRY.52
Covered by Spectral: No
Category: Database

GSL LOGIC

aws_sqs_queue where kms_master_key_id should not have kms_master_key_id like '%alias/aws/%'

REMEDIATION

Perform the following to set at-rest encryption with your own managed key:

From Portal

  1. Login to AWS Console
  2. Navigate to KMS Service
  3. Select "Customer managed key" and create a new key.
  4. Navigate to SQS Service.
  5. Select the relevant queue and click Edit
  6. Look for "Encryption - Optional". Choose the new CMK alias that you just created.

From CLI
aws sqs set-queue-attributes --queue-url <Queue url> --attributes KmsMasterKeyId=<CMK key name>

From TF

resource "aws_sqs_queue" "user_updates" {
	- kms_master_key_id = "alias/aws/sns"
}

Use the following reference for additional information regarding SSE for SQS:
https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html

Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

Compliance Frameworks

  • Terraform AWS CIS Foundations