Ensure AWS SQS server side encryption is enabled

Error: AWS SQS server side encryption is not enabled

Bridgecrew Policy ID: BC_AWS_GENERAL_16
Checkov Check ID: CKV_AWS_27
Severity: MEDIUM

AWS SQS server side encryption is not enabled

Description

Amazon Simple Queue Service (SQS) provides the ability to encrypt queues so sensitive data is passed securely. It uses server-side-encryption (SSE) and supports AWS managed keys or Customer managed - CMKs - Customer Master Key. SSE encrypts only the body of the message, with queue metadata and message metadata out of scope, and backlogged messages not encrypted.

If you operate in a regulated market, such as HIPAA for healthcare, PCI DSS for finance, or FedRAMP for government, you need to ensure sensitive data messages passed in this service are encrypted at rest.

We recommend you encrypt Data Queued using SQS.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon SQS console.
  3. Open a Queue and click Edit at the top right.
  4. Expand Encryption and select Enabled.
  5. Select an AWS managed Key or a CMK key.

CLI Command

aws sqs set-queue-attributes --queue-url <QUEUE_URL> --attributes KmsMasterKeyId=<KEY>

The format of the queue URL is https://sqs.REGION.amazonaws.com/ACCOUNT_ID/QUEUE_NAME

The value should be a KMS key or an alias and not the default service KMS key or alias - alias/aws/sqs`.

Fix - Buildtime

Terraform

  • Resource: aws_sqs_queue
  • Arguments:
    kms_master_key_id - (Optional) The ID of an AWS-managed Key or a customer managed Custom Master Key (CMK).
    kms_data_key_reuse_period_seconds - (Optional) The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours). The default is 300 (5 minutes).
resource "aws_sqs_queue" "example" {
  name                              = "terraform-example-queue"
+ kms_master_key_id                 = "arn:aws:kms:eu-west-2:123412348471:key/252845b2-0345-41c9-a3f0-55d30384d306"
+ kms_data_key_reuse_period_seconds = 300
  ...
}

CloudFormation

  • Resource: AWS::SQS::Queue
  • Arguments: Properties.KmsMasterKeyId
Type: AWS::SQS::Queue
    Properties:
      ...
+     KmsMasterKeyId: "kms_id"