Open menu
-->

Use AWS KMS Customer Master Keys for SQS Queues Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your Amazon Simple Queue Service (SQS) queues are using KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the queues data encryption/decryption process.

This rule resolution is part of the Cloud Conformity Security Package

When you create and use your own KMS CMK customer-managed keys to protect the contents of your SQS queue messages, you obtain full control over who can use the CMK keys and access the data encrypted within queue messages. The AWS KMS service allows you to create, rotate, disable, enable, and audit your Customer Master Keys (CMKs) for Amazon SQS. Note: As of May 2017, Server-Side Encryption (SSE) with KMS CMK for AWS SQS is available only in the US East (Ohio) and US West (Oregon) regions.

Audit

To determine if AWS KMS CMK customer-managed keys are used for your SQS queues data encryption as opposed to default keys, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.

03 Select the SQS queue that you want to examine.

04 Choose the Encryption tab from the bottom panel and verify the Server-Side Encryption (SSE) configuration status for the selected SQS queue:

  1. If the SQS SSE configuration is not available, instead the following message is being displayed: "Server-Side Encryption (SSE) is disabled. SSE lets you protect the contents of messages in Amazon SQS queues using keys managed in the AWS Key Management Service (AWS KMS)", the queue does not have server-side encryption enabled, therefore the messages managed by the selected SQS queue are not encrypted.
  2. If the Server-Side Encryption (SSE) is enabled and the AWS KMS Customer Master Key (CMK) configuration attribute value is set to "alias/aws/sqs", the selected SQS queue data is encrypted using the default master key (AWS-managed key) instead of a KMS CMK customer-managed key.

05 Repeat step no. 3 and 4 for each Amazon SQS queue available in the current AWS region.

06 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-queues command (OSX/Linux/UNIX) to list the URLs of all SQS queues available in the selected AWS region - US West (Oregon):

aws sqs list-queues
	--region
	--region us-west-2

02 The command output should return the requested SQS URL(s):

{
    "QueueUrls": [
        "https://queue.amazonaws.com/123456789012/VotingSystemQueue",
        "https://queue.amazonaws.com/123456789012/WebTranscoderQueue",
        "https://queue.amazonaws.com/123456789012/RTMAQueue"
    ]
}

03 Run get-queue-attributes command (OSX/Linux/UNIX) using the queue URL returned at the previous step as identifier, custom and built-in query filters to return the ID of the KMS Customer Master Key (CMK) used for encrypting the messages managed by the selected SQS queue:

aws sqs get-queue-attributes
	--region us-west-2
	--queue-url https://us-west-2.queue.amazonaws.com/123456789012/VotingSystemQueue
	--attribute-names KmsMasterKeyId
	--query 'Attributes.KmsMasterKeyId'

04 The command output should return the requested KMS CMK ID:

  1. If the get-queue-attributes command performed at the previous step does not produce an output, the SQS queue does not use an AWS KMS CMK key, the data managed by the selected Amazon SQS queue is not encrypted.
  2. If the get-queue-attributes command output returns "alias/aws/sqs" as the alias (name) of the KMS CMK key in use, the selected AWS SQS queue data is encrypted using the default master key (AWS-managed key) instead of a KMS CMK customer-managed key.

05 Repeat step no. 3 and 4 for each AWS SQS queue provisioned in the current AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.

Remediation / Resolution

To use your own Amazon KMS CMK customer-managed keys for SQS queues Server-Side Encryption (SSE), perform the following commands:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your SQS queue is provisioned).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt SQS data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the SQS queue data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: <the CMK display name>”.

12 Now that the necessary KMS CMK customer-managed key has been provisioned, navigate to the SQS dashboard at https://console.aws.amazon.com/sqs/.

13 Choose the SQS queue that you want to encrypt with the AWS KMS CMK key created earlier (see Audit section part I to identify the right resource).

14 Click on the Queue Actions button from the dashboard top menu and select Configure Queue option to reconfigure the selected queue.

15 Inside the Configure <sqs_queue_name> dialog box, within Server-Side Encryption (SSE) Settings section, perform the following actions:

  1. If encryption is not currently enabled, select Use SSE to turn on Server-Side Encryption for the selected queue, otherwise skip this step.
  2. From the AWS KMS Customer Master Key (CMK)dropdown list, select the KMS CMK customer-managed key created at step no. 5 – 11, e.g. SQS AWS Master Key
  3. (Optional) For Data Key Reuse Period setting, provide a value between 1 minute and 24 hours. The default value for this setting is 5 minutes (suitable for most configurations).
  4. Click Save Changes to apply the new configuration changes and enable Server-Side Encryption for the selected SQS queue.

16 Repeat steps no. 12 – 15 to apply your newly created KMS CMK customer-managed key to other SQS queues available in the current AWS region.

17 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 First, create a policy that enables your selected IAM users and/or roles to administer the new KMS customer-managed key and to encrypt/decrypt SQS data using the AWS KMS API. Create a new policy document called sqs-kms-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": "sqs-queue-custom-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for CMK Key Managers",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonSQSManager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/SQSAdministrator"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/SQSAdministrator"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. sqs-kms-cmk-policy.json) as required command parameter to create the new KMS CMK customer-managed key:

aws kms create-key
	--region us-west-2
	--description 'CMK key for Amazon SQS SSE'
	--policy file://sqs-kms-cmk-policy.json

03 The command output should return the new KMS CMK metadata. Copy the CMK unique ID (KeyID parameter value - highlighted) as this ID will be required later when you need to specify the CMK key required for SQS queue encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "31fb029b-f72c-4dad-9e23-e8040c225e40",
        "Description": "CMK key for Amazon SQS SSE",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1495126800.314,
        "Arn": "arn:aws:kms:us-west-2:123456789012:key/31fb029b-f72c-4dad-9e23-e8040c225e40",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step (e.g. arn:aws:kms:us-west-2:123456789012:key/31fb029b-f72c-4dad-9e23-e8040c225e40) to attach an alias (identifier/name) to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
	--region us-east-1
	--alias-name alias/SQSManagedCMK
	--target-key-id arn:aws:kms:us-west-2:123456789012:key/31fb029b-f72c-4dad-9e23-e8040c225e40

05 Now define the required set-queue-attributes command attributes and save them into a JSON file named sqs-sse-with-cmk.json. To use your custom KMS CMK key created at step no. 2 – 4, replace the <kms_cmk_custom_key_arn> (e.g. arn:aws:kms:us-west-2:123456789012:key/31fb029b-f72c-4dad-9e23-e8040c225e40), with your own key ARN:

{
  "KmsMasterKeyId": "<kms_cmk_custom_key_arn>",
  "KmsDataKeyReusePeriodSeconds": "300"
}

06 Run set-queue-attributes command (OSX/Linux/UNIX) using the URL of the SQS queue that you want to encrypt using your new KMS CMK customer-managed key (see Audit section part II to identify the right SQS resource) and the policy document defined at the previous step (sqs-sse-with-cmk.json), to use your own Amazon KMS customer-managed key to encrypt the data managed by selected SQS queue (the command does not produce an output):

aws sqs set-queue-attributes
	--region us-west-2
	--queue-url https://us-west-2.queue.amazonaws.com/123456789012/VotingSystemQueue
	--attributes file://sqs-sse-with-cmk.json

07 Repeat step no. 5 and 6 to apply your newly created KMS CMK key to other SQS queues provisioned within the current AWS region.

08 Change the AWS region by updating the --region command parameter value and repeat the remediation/resolution process for other regions.

References

Publication date May 7, 2017