Open menu
-->

SQS Server Side Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (act today)

Ensure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE). The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for the encryption/decryption process of SQS messages. There is no additional charge for using SQS Server-Side Encryption, however, there is a charge for using AWS KMS.

This rule resolution is part of the Cloud Conformity Security Package

When you are using AWS SQS queues to send and receive messages that contain sensitive data, it is highly recommended to implement encryption in order to make the contents of these messages unavailable to unauthorized or anonymous users. The encryption and decryption is handled transparently by SQS SSE and does not require any additional action from you or your application.

Audit

To determine if your Amazon SQS queues have the Server-Side Encryption feature enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.

03 Select the SQS queue that you want to examine.

04 Choose the Encryption tab from the bottom panel and verify the Server-Side Encryption (SSE) configuration for the selected SQS queue. If the SQS SSE configuration is not available, instead the following message is being displayed: "Server-side encryption (SSE) is disabled. SSE lets you protect the contents of messages in Amazon SQS queues using keys managed in the AWS Key Management Service (AWS KMS)", the selected SQS queue does not have the SSE feature enabled, therefore the messages managed by the SQS queue are not encrypted.

05 Repeat step no. 3 and 4 for each Amazon SQS queue available in the current AWS region.

06 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-queues command (OSX/Linux/UNIX) to list the URLs of all SQS queues available in the selected AWS region - US West (Oregon):

aws sqs list-queues
	--region
	--region us-west-2

02 The command output should return the requested SQS URL(s):

{
    "QueueUrls": [
        "https://queue.amazonaws.com/123456789012/WebWorkerSQSQueue",
        "https://queue.amazonaws.com/123456789012/TranscoderQueue"
    ]
}

03 Run get-queue-attributes command (OSX/Linux/UNIX) using the queue URL returned at the previous step as identifier and built-in query filters to return the ID of the KMS Customer Master Key (CMK) used for encrypting the messages managed by the selected SQS queue:

aws sqs get-queue-attributes
	--region us-west-2
	--queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue                                                                                    --attribute-names KmsMasterKeyId

04 The command output should return the requested KMS CMK ID. If the get-queue-attributes command executed at the previous step does not produce an output, the SQS queue does not use an AWS KMS CMK key, therefore the SQS SSE feature is not enabled for the selected queue.

05 Repeat step no. 3 and 4 for each AWS SQS queue provisioned in the current AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.

Remediation / Resolution

To enable Server-Side Encryption (SSE) for your existing Amazon SQS queues, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.

03 Choose the SQS queue that you want to encrypt with SSE (see Audit section part I to identify the right resource).

04 Click on the Queue Actions button from the dashboard top menu and select Configure Queue option to reconfigure the selected queue.

05 Inside the Configure <sqs_queue_name> dialog box, within Server-Side Encryption (SSE) Settings section, perform the following actions:

  1. Select Use SSE to turn on the feature.
  2. From the AWS KMS Customer Master Key (CMK) dropdown list, select one of the following options:
    • To use the AWS-managed CMK key for SQS SSE select (Default) aws/sqs option. The KMS service creates the AWS-managed CMK key the first time when you request it using the AWS Management Console.
    • To use a custom KMS CMK key provisioned within AWS account (or another account), select Enter an existing CMK ARN option and type or paste the custom key ARN into the Enter a CMK ARN box.
  3. (Optional) For Data Key Reuse Period setting, provide a value between 1 minute and 24 hours. The default value for this setting is 5 minutes (suitable for most configurations).
  4. Click Save Changes to apply the new configuration changes and enable Server-Side Encryption for the selected SQS queue.

06 Repeat steps no. 3 – 5 to enable Server-Side Encryption (SSE) for other SQS queues available in the current AWS region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, define the required set-queue-attributes command attributes and save them into a JSON file named enable-sqs-sse.json. Based on the KMS CMK key type used (AWS-managed or custom CMK), choose to define one of the following options:

  1. To use the AWS-managed CMK key:
    {
      "KmsMasterKeyId": "alias/aws/sqs",
      "KmsDataKeyReusePeriodSeconds": "300"
    }
    
  2. To use your custom KMS CMK key. Replace the <kms_cmk_custom_key_arn> (e.g. arn:aws:kms:us-west-2:123456789012:key/b1310619-54ec-4234-aa75-2598e5abf069), with your own key ARN:
    {
      "KmsMasterKeyId": "<kms_cmk_custom_key_arn>",
      "KmsDataKeyReusePeriodSeconds": "300"
    }
    

02 Run set-queue-attributes command (OSX/Linux/UNIX) using the URL of the SQS queue that you want to encrypt with SSE (see Audit section part II to identify the right SQS resource) and the policy document defined at the previous step, e.g. enable-sqs-sse.json, to enable Server-Side Encryption for the selected SQS queue (the command does not produce an output):

aws sqs set-queue-attributes
	--region us-west-2
	--queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue
	--attributes file://enable-sqs-sse.json

03 Repeat step no. 1 and 2 to enable Server-Side Encryption (SSE) for other SQS queues available in the current AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date May 7, 2017