Simple Queue Service - SQS is a fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and server-less applications. Amazon SQS offers common constructs such as dead-letter queues and costs allocation tags. It provides a generic web services API that you can access using any programming language that the AWS SDK supports.
Enabling SQS queries to have Server Side Encryption will enable the data passed through the queues to be encrypted. The message is stored in encrypted form and Amazon SQS Decrypt messages only when they are sent to an authorized consumer. Amazon SQS server-side encryption uses the 256-bit Advanced Encryption Standard (AES-256 GCM algorithm) to encrypt each message body. To protect the data in a queue's messages, server-side encryption (SSE) for a queue is enabled.
When you are using AWS SQS queues to send and receive messages that contain sensitive data, it is highly recommended to implement encryption to make the contents of these messages unavailable to unauthorized or anonymous users. The encryption and decryption are handled transparently by SQS SSE and do not require any additional action from you or your application.
By default, SQS queues have Server Side Encryption disabled.
Need a KMS key for encryption
Sign in with permissions required to access SQS
Using AWS CLI
Run list-queues command in the region where we want
aws sqs list-queuesRun get-queue-attributes command
aws sqs get-queue-attributes --queue-url https://sqs.us-east-1.amazonaws.com/80398EXAMPLE/MyQueue --attribute-names All
The command output should return the requested KMS CMK ID. If the get-queue-attributes command executed at the previous step does not produce an output, the SQS queue does not use an AWS KMS CMK key, therefore the SQS SSE feature is not enabled for the selected queue.
Repeat steps 1 to 5 till every SQS Query is checked if Server Side Encryption is enabled or not.
If you want to revoke the change then follow the implementation steps and choose Disable at step 4 and click on save.
Note: If you aren't the owner of the CMK, or if you log in with an account that doesn't have the kms:ListAliases and kms:DescribeKey permissions, you won't be able to view information about the CMK on the Amazon SQS console. Ask the owner of the CMK to grant you these permissions. For more information, see the AWS KMS API Permissions: Actions and Resources Reference in the AWS Key Management Service Developer Guide.