Queue Encryption Use Cmk | Vulnerability Database

SQS queue should be encrypted with a CMK.

Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.

Impact

The SQS queue messages could be read if compromised. Key management is very limited when using default keys.

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Encrypt SQS Queue with a customer-managed key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


AWSTemplateFormatVersion: 2010-09-09
Description: Good example of queue
Resources:
  Queue:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: some-key
      QueueName: my-queue

Encrypt SQS Queue with a customer-managed key

1
2
3
4


 resource "aws_sqs_queue" "good_example" {
 	kms_master_key_id = "/blah"
 }
 

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#server-side-encryption-sse