Ensure that your Amazon Simple Queue Service (SQS) queues are using KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the queues data encryption/decryption process.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you create and use your own KMS CMK customer-managed keys to protect the contents of your SQS queue messages, you obtain full control over who can use the CMK keys and access the data encrypted within queue messages. The AWS KMS service allows you to create, rotate, disable, enable, and audit your Customer Master Keys (CMKs) for Amazon SQS.
Note: As of May 2017, Server-Side Encryption (SSE) with KMS CMK for AWS SQS is available only in the US East (Ohio) and US West (Oregon) regions.
To determine if AWS KMS CMK customer-managed keys are used for your SQS queues data encryption as opposed to default keys, perform the following:
To use your own Amazon KMS CMK customer-managed keys for SQS queues Server-Side Encryption (SSE), perform the following commands: