Ensure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE). The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for the encryption/decryption process of SQS messages. There is no additional charge for using SQS Server-Side Encryption, however, there is a charge for using AWS KMS.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you are using AWS SQS queues to send and receive messages that contain sensitive data, it is highly recommended to implement encryption in order to make the contents of these messages unavailable to unauthorized or anonymous users. The encryption and decryption is handled transparently by SQS SSE and does not require any additional action from you or your application.
Audit
To determine if your Amazon SQS queues have the Server-Side Encryption feature enabled, perform the following:
Remediation / Resolution
To enable Server-Side Encryption (SSE) for your existing Amazon SQS queues, perform the following:
References
- AWS Documentation
- Amazon SQS FAQs
- AWS Key Management Service Pricing
- Protecting Data Using Server-Side Encryption (SSE) and AWS KMS
- Configuring Server-Side Encryption (SSE) for an Existing Amazon SQS Queue >
- AWS Command Line Interface (CLI) Documentation
- sqs
- list-queues
- get-queue-attributes
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Queue Server Side Encryption
Risk level: High