Check if SQS queues have Server Side Encryption enabled

Overview

This check verifies that your Amazon SQS queues have server-side encryption (SSE) enabled using AWS KMS keys. Encryption protects message content at rest, ensuring that sensitive data stored in queues remains confidential.

Risk

Without server-side encryption enabled:

• Data exposure: Message bodies containing secrets, tokens, or personally identifiable information (PII) could be accessed by unauthorized parties
• No audit trail: You lose the ability to track who accessed encryption keys through AWS CloudTrail
• Limited access control: You cannot revoke access by disabling or rotating KMS keys
• Compliance gaps: Many regulatory frameworks require encryption of data at rest

Remediation Steps

Prerequisites

You need:

• AWS Console access with permissions to modify SQS queues, OR
• AWS CLI configured with appropriate credentials
• Permission to use KMS keys (either the AWS-managed alias/aws/sqs key or a customer-managed key)

AWS Console Method

1. Open the Amazon SQS console at https://console.aws.amazon.com/sqs/
2. In the navigation pane, choose Queues
3. Select the queue you want to encrypt
4. Choose Edit
5. Expand the Encryption section
6. For Server-side encryption, select Enabled
7. For Encryption key type, choose one of:
   • Amazon SQS key (SSE-SQS) - AWS-managed key, simplest option
   • AWS Key Management Service key (SSE-KMS) - For more control, select a customer-managed key
8. If using SSE-KMS, select your preferred KMS key (or use alias/aws/sqs)
9. Choose Save

AWS CLI (optional)

Enable encryption on an existing queue:

aws sqs set-queue-attributes \
    --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/my-queue \
    --attributes KmsMasterKeyId=alias/aws/sqs \
    --region us-east-1

Using a customer-managed KMS key:

aws sqs set-queue-attributes \
    --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/my-queue \
    --attributes KmsMasterKeyId=arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 \
    --region us-east-1

Get your queue URL first (if needed):

aws sqs get-queue-url \
    --queue-name my-queue \
    --region us-east-1

Replace:

• 123456789012 with your AWS account ID
• my-queue with your queue name
• The KMS key ARN with your actual key ARN (if using a customer-managed key)

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: SQS Queue with Server-Side Encryption enabled

Parameters:
  QueueName:
    Type: String
    Description: Name of the SQS queue
    Default: my-encrypted-queue

Resources:
  EncryptedQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: !Ref QueueName
      KmsMasterKeyId: alias/aws/sqs
      KmsDataKeyReusePeriodSeconds: 300

Outputs:
  QueueUrl:
    Description: URL of the encrypted SQS queue
    Value: !Ref EncryptedQueue
  QueueArn:
    Description: ARN of the encrypted SQS queue
    Value: !GetAtt EncryptedQueue.Arn

Key properties:

• KmsMasterKeyId: The KMS key to use. Use alias/aws/sqs for the AWS-managed key, or specify a customer-managed key ARN
• KmsDataKeyReusePeriodSeconds: How long (in seconds) SQS can reuse a data key before calling KMS again (300-86400, default 300)

To use a customer-managed KMS key instead:

KmsMasterKeyId: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

Terraform (optional)

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "queue_name" {
  description = "Name of the SQS queue"
  type        = string
  default     = "my-encrypted-queue"
}

resource "aws_sqs_queue" "encrypted_queue" {
  name                              = var.queue_name
  kms_master_key_id                 = "alias/aws/sqs"
  kms_data_key_reuse_period_seconds = 300
}

output "queue_url" {
  description = "URL of the encrypted SQS queue"
  value       = aws_sqs_queue.encrypted_queue.url
}

output "queue_arn" {
  description = "ARN of the encrypted SQS queue"
  value       = aws_sqs_queue.encrypted_queue.arn
}

To use a customer-managed KMS key:

resource "aws_sqs_queue" "encrypted_queue" {
  name                              = var.queue_name
  kms_master_key_id                 = aws_kms_key.sqs_key.arn
  kms_data_key_reuse_period_seconds = 300
}

resource "aws_kms_key" "sqs_key" {
  description             = "KMS key for SQS encryption"
  deletion_window_in_days = 30
  enable_key_rotation     = true
}

Verification

After enabling encryption, verify it was applied:

1. In the SQS Console, select your queue
2. On the Encryption tab, confirm Server-side encryption shows as Enabled
3. Verify the correct KMS key is displayed

CLI verification

aws sqs get-queue-attributes \
    --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/my-queue \
    --attribute-names KmsMasterKeyId \
    --region us-east-1

Expected output shows your KMS key:

{
    "Attributes": {
        "KmsMasterKeyId": "alias/aws/sqs"
    }
}

Additional Resources

• Amazon SQS Server-Side Encryption
• AWS KMS concepts
• Managing Amazon SQS Queues

Notes

• SSE-SQS vs SSE-KMS: SSE-SQS uses AWS-managed keys with no additional cost. SSE-KMS provides more control (key policies, rotation, audit trails) but incurs KMS API charges.
• Key permissions: If using a customer-managed KMS key, ensure that principals sending/receiving messages have kms:GenerateDataKey and kms:Decrypt permissions on the key.
• Existing messages: Enabling encryption only affects new messages. Existing unencrypted messages remain unencrypted.
• FIFO queues: Encryption works the same way for both standard and FIFO queues.
• Data key reuse: The KmsDataKeyReusePeriodSeconds setting balances security (lower values) against KMS API costs (higher values). Default is 300 seconds (5 minutes).