Description:

Simple Queue Service - SQS is a fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and serverless applications.


Rationale:

It is recommended that Redshift Cluster should not be publicly accessible to other services and resources in AWS. Public Redshift Cluster means that unauthorized actors could access your data which can lead to misuse of the data. 


Remediation:

Need to have SQS queues have Server Side Encryption enabled:


  1. Sign in to the Amazon SQS console
  2. Choose Create New Queue.
  3. On the Create New Queue page, ensure that you're in the correct region and then type the Queue Name.

            Note: The name of a FIFO queue must end with the .fifo suffix.

  • Standard is selected by default. Choose FIFO.
  • Choose Configure Queue, and then choose Use SSE.
  • Specify the customer master key (CMK) ID. For more information, see Key terms.

        For each CMK type, the Description, Account, and Key ARN of the CMK are displayed.

Note: If you aren't the owner of the CMK, or if you log in with an account that doesn't have the kms:ListAliases and kms:DescribeKey permissions, you won't be able to view information about the CMK on the Amazon SQS console. Ask the owner of the CMK to grant you these permissions. For more information, see the AWS KMS API Permissions: Actions and Resources Reference in the AWS Key Management Service Developer Guide.


    The AWS managed CMK for Amazon SQS is selected by default.



Note: Keep the following in mind:

  • If you don't specify a custom CMK, Amazon SQS uses the AWS managed CMK for Amazon SQS. For instructions on creating custom CMKs, see Creating Keys in the AWS Key Management Service Developer Guide.
  • The first time you use the AWS Management Console to specify the AWS managed CMK for Amazon SQS for a queue, AWS KMS creates the AWS managed CMK for Amazon SQS.
  • Alternatively, the first time you use the SendMessage or SendMessageBatch action on a queue with SSE enabled, AWS KMS creates the AWS managed CMK for Amazon SQS.


To use a custom CMK from your AWS account, select it from the list.

    


To use a custom CMK ARN from your AWS account or from another AWS account, select Enter an existing CMK ARN from the list and type or copy the CMK.


Choose Create Queue.


Your new queue is created with SSE. The encryption status, alias of the CMK, Description, Account, Key ARN, and the Data Key Reuse Period are displayed on the Encryption tab.



Reference:

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html