Encrypt SQS Queue Data

Violation ID: BC_AWS_GENERAL_16

Ensure all Data Stored in the SQS Queue is Encrypted

Description

Amazon Simple Queue Service (SQS) provides the ability to encrypt queues so sensitive data is passed securely. It uses server-side-encrypyion (SSE) and supports AWS-managed Customer Master Key (CMK), as well as self-created/self-managed keys.

SSE encrypts only the body of the message, leaving queue metadata and message metadata out of scope. Backlogged messages are not encrypted.

Rationale

If you operate in a regulated market, such as HIPAA for healthcare, PCI DSS for finance, and FedRAMP for government, you need to ensure sensitive data messages passed in this service are encrypted at rest.

Automated Remediation

Runtime Resource

n/a

Buildtime Resource

Terraform

Resource: aws_sqs_queue
Argument:
kms_master_key_id - (Optional) The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK.
kms_data_key_reuse_period_seconds - (Optional) The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours). The default is 300 (5 minutes).

resource "aws_sqs_queue" "terraform_queue" {
  name                              = "terraform-example-queue"
+ kms_master_key_id                 = "alias/aws/sqs"
+ kms_data_key_reuse_period_seconds = 300
}

Manual Remediation

Runtime Resource

Procedure

To change the policy using the AWS Console, follow these steps:

  1. Login to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the SQS console.
  3. Open a Queue and click the Edit button at the top right.
  4. Expand Encryption and select Enabled.
  5. Choose or enter a CMK key, or use the default provided by AWS.

CLI Command

aws sqs set-queue-attributes --queue-url <QUEUE_URL> --attributes KmsMasterKeyId=<KEY>

The format of the queue URL is https://sqs.REGION.amazonaws.com/ACCOUNT_ID/QUEUE_NAME

The key should be a KMS key or alias. The default AWS key is alias/aws/sqs.

Updated 4 months ago


Encrypt SQS Queue Data


Violation ID: BC_AWS_GENERAL_16

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.