Description:
Simple Queue Service - SQS is a fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and server-less applications. Amazon SQS offers common constructs such as dead-letter queues and costs allocation tags. It provides a generic web services API that you can access using any programming language that the AWS SDK supports.
Rationale:
Enabling SQS queries to have Server Side Encryption will enable the data passed through the queues to be encrypted. The message is stored in encrypted form and Amazon SQS Decrypt messages only when they are sent to an authorized consumer. Amazon SQS server-side encryption uses the 256-bit Advanced Encryption Standard (AES-256 GCM algorithm) to encrypt each message body. To protect the data in a queue's messages, server-side encryption (SSE) for a queue is enabled.
Impact:
When you are using AWS SQS queues to send and receive messages that contain sensitive data, it is highly recommended to implement encryption to make the contents of these messages unavailable to unauthorized or anonymous users. The encryption and decryption are handled transparently by SQS SSE and do not require any additional action from you or your application.
Default value:
By default, SQS queues have Server Side Encryption disabled.
Pre-Requisite:
Need a KMS key for encryption
Sign in with permissions required to access SQS
Remediation:
Test Plan:
Log in to the AWS Management Console
Go to the Amazon SQS service at https://console.aws.amazon.com/sqs/
Choose the Queue you want to examine and click on it
In the Details, section check whether encryption is enabled or not
If it shows “No server-side encryption is set for this queue” as in the below image it means encryption is not enabled
Using AWS CLI
Run list-queues command in the region where we want
aws sqs list-queuesRun get-queue-attributes command
aws sqs get-queue-attributes --queue-url https://sqs.us-east-1.amazonaws.com/80398EXAMPLE/MyQueue --attribute-names All
The command output should return the requested KMS CMK ID. If the get-queue-attributes command executed at the previous step does not produce an output, the SQS queue does not use an AWS KMS CMK key, therefore the SQS SSE feature is not enabled for the selected queue.
Repeat steps 1 to 5 till every SQS Query is checked if Server Side Encryption is enabled or not.
Implementation Step:
Log in to the AWS Management Console
Go to the Amazon SQS service at https://console.aws.amazon.com/sqs/
Select the Queue and click Edit at the top right.
Go to the Encryption section and choose Enable
Select the key you want to encrypt with, or else it will take the default key
Set the Data Key reuse period, you can choose between 1 minute to 24 hours. The default value for this setting is 5 minutes (suitable for most configurations). Click on save
Backout plan:
If you want to revoke the change then follow the implementation steps and choose Disable at step 4 and click on save.
Note: If you aren't the owner of the CMK, or if you log in with an account that doesn't have the kms:ListAliases and kms:DescribeKey permissions, you won't be able to view information about the CMK on the Amazon SQS console. Ask the owner of the CMK to grant you these permissions. For more information, see the AWS KMS API Permissions: Actions and Resources Reference in the AWS Key Management Service Developer Guide.
Reference:
What is Amazon Simple Queue Service? - Amazon Simple Queue Service