Queue Server Side Encryption

01 Sign in to the AWS Management Console.

02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.

03 Select the SQS queue that you want to examine.

04 Choose the Encryption tab from the bottom panel and verify the Server-Side Encryption (SSE) configuration for the selected SQS queue. If the SQS SSE configuration is not available, instead the following message is being displayed: "Server-side encryption (SSE) is disabled. SSE lets you protect the contents of messages in Amazon SQS queues using keys managed in the AWS Key Management Service (AWS KMS)", the selected SQS queue does not have the SSE feature enabled, therefore the messages managed by the SQS queue are not encrypted.

05 Repeat step no. 3 and 4 for each Amazon SQS queue available in the current AWS region.

06 Change the AWS region from the navigation bar to repeat the audit process for other regions.

01 Run list-queues command (OSX/Linux/UNIX) to list the URLs of all SQS queues available in the selected AWS region - US West (Oregon):

aws sqs list-queues
	--region
	--region us-west-2

02 The command output should return the requested SQS URL(s):

{
    "QueueUrls": [
        "https://queue.amazonaws.com/123456789012/WebWorkerSQSQueue",
        "https://queue.amazonaws.com/123456789012/TranscoderQueue"
    ]
}

03 Run get-queue-attributes command (OSX/Linux/UNIX) using the queue URL returned at the previous step as identifier and built-in query filters to return the ID of the KMS Customer Master Key (CMK) used for encrypting the messages managed by the selected SQS queue:

aws sqs get-queue-attributes
	--region us-west-2
	--queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue                                                                                    --attribute-names KmsMasterKeyId

04 The command output should return the requested KMS CMK ID. If the get-queue-attributes command executed at the previous step does not produce an output, the SQS queue does not use an AWS KMS CMK key, therefore the SQS SSE feature is not enabled for the selected queue.

05 Repeat step no. 3 and 4 for each AWS SQS queue provisioned in the current AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.

03 Choose the SQS queue that you want to encrypt with SSE (see Audit section part I to identify the right resource).

04 Click on the Queue Actions button from the dashboard top menu and select Configure Queue option to reconfigure the selected queue.

05 Inside the Configure <sqs_queue_name> dialog box, within Server-Side Encryption (SSE) Settings section, perform the following actions:

1. Select Use SSE to turn on the feature.
2. From the AWS KMS Customer Master Key (CMK) dropdown list, select one of the following options:
   • To use the AWS-managed CMK key for SQS SSE select (Default) aws/sqs option. The KMS service creates the AWS-managed CMK key the first time when you request it using the AWS Management Console.
   • To use a custom KMS CMK key provisioned within AWS account (or another account), select Enter an existing CMK ARN option and type or paste the custom key ARN into the Enter a CMK ARN box.
3. (Optional) For Data Key Reuse Period setting, provide a value between 1 minute and 24 hours. The default value for this setting is 5 minutes (suitable for most configurations).
4. Click Save Changes to apply the new configuration changes and enable Server-Side Encryption for the selected SQS queue.

06 Repeat steps no. 3 – 5 to enable Server-Side Encryption (SSE) for other SQS queues available in the current AWS region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

01 First, define the required set-queue-attributes command attributes and save them into a JSON file named enable-sqs-sse.json. Based on the KMS CMK key type used (AWS-managed or custom CMK), choose to define one of the following options:

1. To use the AWS-managed CMK key:
   {
     "KmsMasterKeyId": "alias/aws/sqs",
     "KmsDataKeyReusePeriodSeconds": "300"
   }
   

2. To use your custom KMS CMK key. Replace the <kms_cmk_custom_key_arn> (e.g. arn:aws:kms:us-west-2:123456789012:key/b1310619-54ec-4234-aa75-2598e5abf069), with your own key ARN:
   {
     "KmsMasterKeyId": "<kms_cmk_custom_key_arn>",
     "KmsDataKeyReusePeriodSeconds": "300"
   }
   

02 Run set-queue-attributes command (OSX/Linux/UNIX) using the URL of the SQS queue that you want to encrypt with SSE (see Audit section part II to identify the right SQS resource) and the policy document defined at the previous step, e.g. enable-sqs-sse.json, to enable Server-Side Encryption for the selected SQS queue (the command does not produce an output):

aws sqs set-queue-attributes
	--region us-west-2
	--queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue
	--attributes file://enable-sqs-sse.json

03 Repeat step no. 1 and 2 to enable Server-Side Encryption (SSE) for other SQS queues available in the current AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.