Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > Sqs >

Enable Queue Encryption

HIGH
Source
Trivy/CSPM
CSPM ID
sqs-encrypted
ID
AVD-AWS-0096
cloudformation management_console terraform

Unencrypted SQS queue.

Queues should be encrypted to protect queue contents.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Turn on SQS Queue encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

AWSTemplateFormatVersion: "2010-09-09"

Description: Good example of queue

Resources:
  Queue:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: some-key
      QueueName: my-queue

  1. Log in to the AWS Management Console.

  2. Select the “Services” option and search for SQS. Step

  3. Select the “SQS” queue that needs to be verified and click on its “Name”.Step

  4. Scroll down the page and click on the “Encryption” tab from the bottom panel.Step

  5. Check the “Server Side Encryption” status for the selected “SQS” queue. If the “Server Side Encryption” is not configured then the following message is displayed “No server-side encryption is set for this queue”. SSE protects the content of messages in Amazon SQS queues using keys managed in the AWS Key Management Service (AWS KMS)".Step

  6. Repeat step number 2 - 5 to verify other “SQS” queue in the selected AWS region.

  7. To enable the “SQS” encryption navigate to KMS services to create a “KMS CMK customer-managed key”.Step

  8. Scroll down the left navigation panel and choose “Customer managed keys” under “Key Management Service” and click on the “Create key” button at the top panel.Step

  9. On the “Configure key” page select key type as “Symmetric”. In the advanced options select “Key material origin” as “KMS” and “Regionality” as “Single-Region key” and proceed by clicking “Next” button.Step

  10. On the “Add labels” page provide the “Alias” and “Description” for the new “KMS key” and click on the “Next” button. You can define unique tags for “Tag key”, “Tag value” under the “Tags” section. Step

  11. On the “Define key administrative permissions” page select the “IAM users” and roles who can administer the new “KMS key” through the KMS API and click “Next” button.Step

  12. On the “Define key usage permissions” page select the IAM users and roles that can use the CMK to encrypt and decrypt SQS data with the “AWS KMS API” and click on the “Next” button.Step

  13. On the “Review” page review the policy and click on the “Finish” button to create a new “KMS key” which can be used to encrypt/decrypt the SQS data.Step

  14. Now “KMS CMK customer-managed key” is created navigate to SQS and select the “SQS” queue which needs to be modified and click the “Edit” button at the top.Step

  15. On the “Edit TestQueue” page scroll down to “Encryption” and under the “Server-Side Encryption” select “Enabled”. Step

  16. Under the “Encryption key type” select “AWS Key Management Service key (SSE-KMS)” and from the dropdown under “Customer master key” select the key that you have created for SQS.Step

  17. Click on the “Save” button to make the necessary changes.Step

  18. Repeat step number 7 - 17 to enable encryption using KMS for all SQS queues.

Turn on SQS Queue encryption

1
2
3

resource "aws_sqs_queue" "good_example" {
  kms_master_key_id = "/blah"
}

1
2
3
4

resource "aws_sqs_queue" "terraform_queue" {
  name                    = "terraform-example-queue"
  sqs_managed_sse_enabled = true
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use