HIGH
Source
Trivy/CSPM
CSPM ID
sqs-encrypted
ID
AVD-AWS-0096

Unencrypted SQS queue.

Queues should be encrypted to protect queue contents.

Impact

The SQS queue messages could be read if compromised

Follow the appropriate remediation steps below to resolve the issue.

Turn on SQS Queue encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
AWSTemplateFormatVersion: 2010-09-09
Description: Good example of queue
Resources:
  Queue:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: some-key
      QueueName: my-queue
  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for SQS. Step
  3. Select the “SQS” queue that needs to be verify from “Name”.Step
  4. Scroll down the page and click on the “Encryption” tab from the bottom panel.Step
  5. Check the “Server Side Encryption” status for the selected “SQS” queue. If the “Server Side Encryption” is not configured then the following message is being displayed “Server-side encryption (SSE) is disabled. SSE lets you protect the contents of messages in Amazon SQS queues using keys managed in the AWS Key Management Service (AWS KMS)”.Step
  6. Repeat steps number 2 - 5 to verify other “SQS” queue in the selected AWS region.
  7. To enable the “SQS” encryption navigate to KMS services to create a “KMS CMK customer-managed key”.Step
  8. Scroll down the left navigation panel and choose “Customer managed keys” under “Key Management Service” and click on the “Create key” button at the top panel.Step
  9. On the “Add alias and description” page provide the “Alias” and “Description” for the new “KMS key” and click on the “Next” button. Step
  10. On the “Add tags” page provide a unique key for “Tag key”, “Tag value” and click on the “Next” button.Step
  11. On the “Define key administrative permissions” page select the “IAM users” and roles who can administer the new “KMS key” through the KMS API.Step
  12. Click on the “Next” button at the bottom to continue the new “KMS key” process. Step
  13. On the “Define key usage permissions” page select the IAM users and roles that can use the CMK to encrypt and decrypt SQS data with the “AWS KMS API” and click on the “Next” button.Step
  14. On the “Review and edit key policy” page review the policy and click on the “Finish” button to create a new “KMS key” which can be used to encrypt/decrypt the SQS data.Step
  15. Now “KMS CMK customer-managed key” is created navigate to SQS and select the “SQS” queue which needs to be modified.Step
  16. Click on the “Queue Actions” button at the top and select the “Configure Queue” option. Step
  17. On the “Configure Test” tab scroll down and under the “Server-Side Encryption (SSE) Settings” click on the checkbox next to “Use SSE” and select the “AWS KMS Customer Master Key (CMK)” from the dropdown menu and click on the “Save Changes” button to make the necessary changes.Step
  18. Repeat steps number 8 - 17 to enable encryption using KMS for all SQS queues.

Turn on SQS Queue encryption

1
2
3
resource "aws_sqs_queue" "good_example" {
  kms_master_key_id = "/blah"
}