AWS SQS Queue is not Encrypted with Customer Master Key (CMK)


Amazon Simple Queue Service (SQS) allows the use of AWS Key Management Service (KMS) Customer Master Keys (CMKs) to encrypt the messages stored in the queue. By default, SQS might use the default KMS key. For better control over the encryption keys and access policies, it is recommended to use a Customer Managed CMK rather than the default.


1. Encrypt the SQS Queue with a CMK:

AWS Management Console:
  • Navigate to the SQS service.
  • In the navigation pane, select Queues.
  • Click on the name of the queue you wish to modify.
  • In the Details section, under Server-side encryption, click Edit.
  • For Server-side encryption, ensure it's set to Enabled.
  • For KMS master key, choose your desired CMK.
  • Save the changes.

To update the encryption for the SQS queue to use the CMK:

aws sqs set-queue-attributes --queue-url <YOUR-QUEUE-URL> --attributes KmsMasterKeyId=<YOUR-CMK-ID>

Replace <YOUR-QUEUE-URL> with the URL of your SQS queue and <YOUR-CMK-ID> with the ARN or ID of your CMK.

resource "aws_sqs_queue" "example" {
  name             = "example-queue"
  # ... other configurations ...

  kms_master_key_id = aws_kms_key.example.arn

resource "aws_kms_key" "example" {
  description             = "My KMS Key for SQS encryption"
  deletion_window_in_days = 10
  # ... other configurations ...

In the Terraform script, replace placeholders and adjust configurations as per your requirements.


For enhanced security and control over your encryption keys, always prefer using a Customer Managed CMK. Ensure that only authorized personnel can access and manage the CMK. Regularly review access permissions and rotate the CMK if necessary.