Ensure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE). The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for the encryption/decryption process of SQS messages. There is no additional charge for using SQS Server-Side Encryption, however, there is a charge for using AWS KMS.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you are using AWS SQS queues to send and receive messages that contain sensitive data, it is highly recommended to implement encryption in order to make the contents of these messages unavailable to unauthorized or anonymous users. The encryption and decryption is handled transparently by SQS SSE and does not require any additional action from you or your application.
To determine if your Amazon SQS queues have the Server-Side Encryption feature enabled, perform the following:
To enable Server-Side Encryption (SSE) for your existing Amazon SQS queues, perform the following: