SQS with SSE disabled

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQS with SSE disabled

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 6e8849c1-3aa7-40e3-9063-b85ee300f29f

Cloud Provider: AWS

Platform: Terraform

Severity: Medium

Category: Encryption

Learn More

Provider Reference

Description

Amazon Simple Queue Service (SQS) queues should use Server-Side Encryption (SSE) to protect the contents of their messages while at rest. Without specifying the kms_master_key_id attribute in the Terraform configuration (for example, resource "aws_sqs_queue" "positive1"), messages sent to the queue are stored without encryption, exposing sensitive data to unauthorized access if AWS infrastructure is compromised. Enabling SSE by setting kms_master_key_id, as shown below, ensures that all messages are encrypted using a customer-managed key, significantly reducing the risk of data leakage.

resource "aws_sqs_queue" "example" {
  name                  = "terraform-example-queue"
  kms_master_key_id     = "alias/aws/sqs"
  kms_data_key_reuse_period_seconds = 300
}

Compliant Code Examples

resource "aws_sqs_queue" "negative3" {
  name                    = "terraform-example-queue"
  sqs_managed_sse_enabled = true
}

module "user_queue" {
  source  = "terraform-aws-modules/sqs/aws"
  version = "~> 2.0"

  name = "user"

  tags = {
    Service     = "user"
    Environment = "dev"
  }

  kms_master_key_id = "alias/aws/sqs"

}

resource "aws_sqs_queue" "negative1" {
  name                              = "terraform-example-queue"
  kms_master_key_id                 = "alias/aws/sqs"
  kms_data_key_reuse_period_seconds = 300
}

Non-Compliant Code Examples

module "user_queue" {
  source  = "terraform-aws-modules/sqs/aws"
  version = "~> 2.0"

  name = "user"

  tags = {
    Service     = "user"
    Environment = "dev"
  }

  kms_master_key_id = null

}

resource "aws_sqs_queue" "positive2" {
  name                              = "terraform-example-queue"
  kms_master_key_id                 = ""
  kms_data_key_reuse_period_seconds = 300
}

resource "aws_sqs_queue" "positive3" {
  name                              = "terraform-example-queue"
  kms_master_key_id                 = null
  kms_data_key_reuse_period_seconds = 300
}