SQS without server side encryption

ID

aws_sqs_server_side_encryption

Severity

high

Vendor

AWS

Resource

Encryption

Tags

reachable

Description

SQS without server side encryption. The data in the SQS is not encrypted. A user with access to the volumes could see the data in plain text.

To fix it, you must configure kms_master_key_id property to encrypt in the server side.

Learn more about this topic at AWS SQS Encryption.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Create SQS
      community.aws.sqs_queue:
        name: my-queue
        region: ap-southeast-2
        default_visibility_timeout: 120
        message_retention_period: 86400
        maximum_message_size: 1024
        delivery_delay: 30
        receive_message_wait_time: 20
        policy: "{{ json_dict }}"
        redrive_policy:
          maxReceiveCount: 5
          deadLetterTargetArn: arn:aws:sqs:eu-west-1:123456789012:my-dead-queue

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Create SQS
      community.aws.sqs_queue:
        name: my-queue
        region: ap-southeast-2
        default_visibility_timeout: 120
        message_retention_period: 86400
        maximum_message_size: 1024
        delivery_delay: 30
        receive_message_wait_time: 20
        policy: "{{ json_dict }}"
        kms_master_key_id: alias/MyQueueKey
        kms_data_key_reuse_period_seconds: 3600
        redrive_policy:
          maxReceiveCount: 5
          deadLetterTargetArn: arn:aws:sqs:eu-west-1:123456789012:my-dead-queue