Ensure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE). The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for the encryption/decryption process of SQS messages. There is no additional charge for using SQS Server-Side Encryption, however, there is a charge for using AWS KMS.
When you are using AWS SQS queues to send and receive messages that contain sensitive data, it is highly recommended to implement encryption in order to make the contents of these messages unavailable to unauthorized or anonymous users. The encryption and decryption is handled transparently by SQS SSE and does not require any additional action from you or your application.
To determine if your Amazon SQS queues have the Server-Side Encryption feature enabled, perform the following:
To enable Server-Side Encryption (SSE) for your existing Amazon SQS queues, perform the following: