SQS queue should have server-side encryption

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Secure your Amazon Simple Queue Service (SQS) messages with server-side encryption.

Rationale

Encryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.

Remediation

From the console

Follow the Configuring service-side encryption for a queue(console) docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.

From the command line

  1. Define set-queue-attributes in a file. Use your custom KMS Master Key ARN for KmsMasterKeyID. Save the file.

    {
      "KmsMasterKeyId": "custom_key_arn",
      "KmsDataKeyReusePeriodSeconds": "300"
    }
    
  2. Run set-queue-attributes with the queue URL and the file created in step 1.

    aws sqs set-queue-attributes
      --queue-url https://us-west-2.queue.amazonaws.com/<insert-account-id>/<insert-sqs-queue-name>
      --attributes file://sqs-sse-enabled.json