Amazon_SQS_8
AWS SQS should be encrypted using AWS Managed Customer Master Key (CMK), instead of AWS-owned CMK. This is required in order to meet encryption regulatory requirements of Server-Side encryption for sensitive data that may be stored in the SQS. In addition, encrypting SQS queues with AWS-managed CMK allows you to view the CMK and its key policy and also audit the encryption/decryption events by examining the SQS API calls using CloudTrail.
Perform the following to set at-rest encryption with your own managed key:
Via AWS Console
1. Login to AWS Console
2. Navigate to KMS Service
4. Select “Customer managed key” and create a new key.
5. Navigate to SQS Service.
6. Select the relevant queue and click Edit
7. Look for “Encryption – Optional”. Choose the new CMK alias that you just created.
Via CLI:
aws sqs set-queue-attributes –queue-url <Queue url> –attributes KmsMasterKeyId=<CMK key name>
Use the following reference for additional information regarding SSE for SQS:
https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html
CLI:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html
Want to Know More?
Learn how our partners are managing their cloud security and compliance with Cloudlytics.
I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.