SQS queue should have server-side encryption

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

Secure your Amazon Simple Queue Service (SQS) messages with server-side encryption.

Rationale

Encryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.

Remediation

From the console

Follow the Configuring service-side encryption for a queue(console) docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.

From the command line

  1. Define set-queue-attributes in a file. Use your custom KMS Master Key ARN for KmsMasterKeyID. Save the file.

    {
      "KmsMasterKeyId": "custom_key_arn",
      "KmsDataKeyReusePeriodSeconds": "300"
    }
    
  2. Run set-queue-attributes with the queue URL and the file created in step 1.

    aws sqs set-queue-attributes
      --queue-url https://us-west-2.queue.amazonaws.com/<insert-account-id>/<insert-sqs-queue-name>
      --attributes file://sqs-sse-enabled.json