iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that Amazon Simple Queue Service (SQS) queues have Server-Side Encryption (SSE) enabled using AWS Key Management Service (KMS). SSE protects sensitive data at rest by encrypting the contents of SQS messages. This ensures that even if unauthorized access to stored messages occurs, the data remains unreadable without the correct encryption keys.

Rationale:
SQS queues often handle sensitive information such as application data, transaction details, or event logs. Without encryption, this data is stored in plaintext and could be exposed in the event of unauthorized access or a data breach. Enabling SSE ensures compliance with data protection standards and helps maintain confidentiality and integrity of message data.

Impact:
Positive Impact:

• Protects sensitive data in transit and at rest.

• Strengthens compliance with regulatory frameworks (CIS, SOC 2, ISO 27001, HIPAA, GDPR).

• Provides centralized encryption key management using AWS KMS.
  Negative Impact:

• Slight increase in latency due to encryption/decryption operations.

• Minimal additional cost associated with AWS KMS key usage.
  
  

Default Value:
By default, SQS queues are not encrypted. SSE must be explicitly enabled during queue creation or afterward via queue configuration.

Pre-Requisite:

• IAM permissions required: sqs:GetQueueAttributes, sqs:SetQueueAttributes, and kms:ListKeys.

• An AWS KMS key (AWS-managed key for SQS or a customer-managed CMK).
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon SQS → Queues.

3. Select a queue and open the Configuration tab.

4. Under Server-side encryption, verify that encryption is Enabled.

5. Check the AWS KMS key field:

   • Should display an AWS-managed key (alias/aws/sqs) or a customer-managed key (e.g., arn:aws:kms:region:account-id:key/key-id).

6. If SSE is disabled, follow the implementation steps to enable it.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to Amazon SQS → Queues.

2. Select the queue requiring encryption.

3. Under the Configuration tab, click Edit.

4. Locate the Server-side encryption section.

5. Set Encryption to Enabled.

6. Choose an appropriate KMS key for encryption:

   • AWS managed key for SQS (default): alias/aws/sqs

   • Customer-managed key: Select an existing key or create a new one in AWS KMS.

7. Save the configuration.

8. Repeat this process for all existing queues.

9. When creating new queues, always enable SSE by default.
   
   

Backout Plan:

1. If encryption causes unexpected application behavior (e.g., incompatibility with older SDKs), revert the setting:

   • Navigate to Amazon SQS → Queues → [Queue Name] → Configuration → Edit.

   • Disable Server-side encryption.

2. Review the application architecture to ensure encryption compatibility before re-enabling SSE.
   
   

References:

• Amazon SQS Server-Side Encryption Documentation

• AWS KMS Developer Guide

• CIS AWS Foundations Benchmark v2.0.0 – Control 3.27

• AWS Security Best Practices