AWS SQS Server-Side Encryption is not enabled

Description:

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. Server-Side Encryption (SSE) for Amazon SQS allows you to protect sensitive data in your queue and ensure that only authorized parties can access it. If Server-Side Encryption (SSE) is not enabled for your SQS queues, your messages may be vulnerable to unauthorized access.


Remediation:

1. Enable Server-Side Encryption (SSE) for SQS:

AWS Management Console:
  • Navigate to the SQS service.
  • In the navigation pane, select the Queues.
  • Click on the name of the queue you want to modify.
  • In the Details section, under Server-side encryption, choose Edit.
  • For Server-side encryption, choose Enabled.
  • Save the changes.
AWS CLI:

You can use the following command to enable SSE on a queue:

aws sqs set-queue-attributes --queue-url <YOUR-QUEUE-URL> --attributes KmsMasterKeyId=<YOUR-KMS-KEY-ID>,KmsDataKeyReusePeriodSeconds=300

Replace <YOUR-QUEUE-URL> with the URL of your SQS queue, and <YOUR-KMS-KEY-ID> with your AWS KMS key ID.

Terraform:
resource "aws_sqs_queue" "example" {
  name                       = "example"
  # ... other configurations ...

  kms_master_key_id          = aws_kms_key.example.arn
  kms_data_key_reuse_period_seconds = 300
}

resource "aws_kms_key" "example" {
  description = "KMS key for SQS"
  # ... other configurations ...
}

Replace the placeholders and configurations as per your requirements.


Recommendation:

Ensure that Server-Side Encryption (SSE) is enabled for all your SQS queues, especially those that hold sensitive information. Using AWS KMS with SQS ensures that your data is protected at rest. Also, monitor your queues to ensure that encryption remains in place and is not inadvertently disabled.