AWS SQS server side encryption is not enabled

ID

sqs_server_unencrypted

Severity

high

Vendor

AWS

Resource

SQS

Description

Amazon Simple Queue Service (SQS) provides the ability to encrypt queues so sensitive data is passed securely. It uses server-side encryption (SSE) and supports AWS-managed Customer Master Key (CMK), as well as self-created/self-managed keys (known as SQS.managed encryption keys). SSE encrypts only the body of the message, with queue metadata and message metadata out of scope, and logged messages not encrypted.

If you operate in a regulated market, such as HIPAA for healthcare, PCI DSS for finance, or FedRAMP for government, you need to ensure sensitive data messages passed in this service are encrypted at rest.

It is recommended to encrypt data queued using SQS. See Server-side encryption for SQS for more details.

Examples

CloudFormation

{
  "Resources": {
    "MySourceQueue": { (1)
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "RedrivePolicy": {
          "deadLetterTargetArn": "example_arn",
          "maxReceiveCount": 5
        }
      }
    }
  }
}
1 Missing KmsMasterKeyId property means server side encryption is disabled. 
Resources:
    MySourceQueue: (1)
    Type: AWS::SQS::Queue
    Properties:
      RedrivePolicy:
        deadLetterTargetArn: "example_arn"
        maxReceiveCount: 5
1 Missing KmsMasterKeyId property means server side encryption is disabled.

Terraform

resource "aws_sqs_queue" "my_queue" { (1)
  name = "terraform-example-queue"
}
1 No server-side encryption, neither with KMS keys nor with SQS-managed keys.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "MySourceQueue": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "RedrivePolicy": {
          "deadLetterTargetArn": "example_arn",
          "maxReceiveCount": 5
        },
        "KmsMasterKeyId": "kms_id" (1)
      }
    }
  }
}
1 KmsMasterKeyId set to true means server side encryption is enabled. 
Resources:
    MySourceQueue:
    Type: AWS::SQS::Queue
    Properties:
      RedrivePolicy:
        deadLetterTargetArn: "example_arn"
        maxReceiveCount: 5
      KmsMasterKeyId: "kms_id" (1)
1 KmsMasterKeyId set to true means server side encryption is enabled.

Terraform

resource "aws_sqs_queue" "my_queue" {
  name = "terraform-example-queue"
  kms_master_key_id = "alias/aws/sqs"
  kms_data_key_reuse_period_seconds = 300
}

Alternatively, set encryption with SQS-managed if you do not care about key management.

resource "aws_sqs_queue" "my_queue" {
  name = "terraform-example-queue"
  sqs_managed_sse_enabled = true
}