Queue Server Side Encryption
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE). The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for the encryption/decryption process of SQS messages. There is no additional charge for using SQS Server-Side Encryption, however, there is a charge for using AWS KMS.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you are using AWS SQS queues to send and receive messages that contain sensitive data, it is highly recommended to implement encryption in order to make the contents of these messages unavailable to unauthorized or anonymous users. The encryption and decryption is handled transparently by SQS SSE and does not require any additional action from you or your application.
To determine if your Amazon SQS queues have the Server-Side Encryption feature enabled, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.
03 Select the SQS queue that you want to examine.
04 Choose the Encryption tab from the bottom panel and verify the Server-Side Encryption (SSE) configuration for the selected SQS queue. If the SQS SSE configuration is not available, instead the following message is being displayed: "Server-side encryption (SSE) is disabled. SSE lets you protect the contents of messages in Amazon SQS queues using keys managed in the AWS Key Management Service (AWS KMS)", the selected SQS queue does not have the SSE feature enabled, therefore the messages managed by the SQS queue are not encrypted.
05 Repeat step no. 3 and 4 for each Amazon SQS queue available in the current AWS region.
06 Change the AWS region from the navigation bar to repeat the audit process for other regions.
01 Run list-queues command (OSX/Linux/UNIX) to list the URLs of all SQS queues available in the selected AWS region - US West (Oregon):
aws sqs list-queues --region --region us-west-2
02 The command output should return the requested SQS URL(s):
{
"QueueUrls": [
"https://queue.amazonaws.com/123456789012/WebWorkerSQSQueue",
"https://queue.amazonaws.com/123456789012/TranscoderQueue"
]
}
03 Run get-queue-attributes command (OSX/Linux/UNIX) using the queue URL returned at the previous step as identifier and built-in query filters to return the ID of the KMS Customer Master Key (CMK) used for encrypting the messages managed by the selected SQS queue:
aws sqs get-queue-attributes --region us-west-2 --queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue --attribute-names KmsMasterKeyId
04 The command output should return the requested KMS CMK ID. If the get-queue-attributes command executed at the previous step does not produce an output, the SQS queue does not use an AWS KMS CMK key, therefore the SQS SSE feature is not enabled for the selected queue.
05 Repeat step no. 3 and 4 for each AWS SQS queue provisioned in the current AWS region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.
To enable Server-Side Encryption (SSE) for your existing Amazon SQS queues, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to SQS dashboard at https://console.aws.amazon.com/sqs/.
03 Choose the SQS queue that you want to encrypt with SSE (see Audit section part I to identify the right resource).
04 Click on the Queue Actions button from the dashboard top menu and select Configure Queue option to reconfigure the selected queue.
05 Inside the Configure <sqs_queue_name> dialog box, within Server-Side Encryption (SSE) Settings section, perform the following actions:
06 Repeat steps no. 3 – 5 to enable Server-Side Encryption (SSE) for other SQS queues available in the current AWS region.
07 Change the AWS region from the navigation bar and repeat the process for other regions.
01 First, define the required set-queue-attributes command attributes and save them into a JSON file named enable-sqs-sse.json. Based on the KMS CMK key type used (AWS-managed or custom CMK), choose to define one of the following options:
{
"KmsMasterKeyId": "alias/aws/sqs",
"KmsDataKeyReusePeriodSeconds": "300"
}
{
"KmsMasterKeyId": "<kms_cmk_custom_key_arn>",
"KmsDataKeyReusePeriodSeconds": "300"
}
02 Run set-queue-attributes command (OSX/Linux/UNIX) using the URL of the SQS queue that you want to encrypt with SSE (see Audit section part II to identify the right SQS resource) and the policy document defined at the previous step, e.g. enable-sqs-sse.json, to enable Server-Side Encryption for the selected SQS queue (the command does not produce an output):
aws sqs set-queue-attributes --region us-west-2 --queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue --attributes file://enable-sqs-sse.json
03 Repeat step no. 1 and 2 to enable Server-Side Encryption (SSE) for other SQS queues available in the current AWS region.
04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat