Amazon SQS (Simple Queue Service)
  1. CNS Policies
  2. AWS Knowledge Base
  3. Amazon SQS (Simple Queue Service)

SQS Not Encrypted

This plugin ensures that messages sent to SQS queues are encrypted on the server-side.

Risk Level: MEDIUM

Description:

This plugin ensures that messages sent to SQS queues are encrypted on the server-side. Encryption may be added to existing queues with minimum overhead.


Recommended Action: Enable encryption using KMS for all SQS queues.

About the Service :

SQS (Amazon Simple Queue Service) is a fully managed message queuing service for decoupling and scaling microservices, distributed systems, and serverless applications. SQS removes the complexity and overhead of managing and operating message-oriented middleware, allowing developers to concentrate on work that is unique. You may send, store, and receive messages across software components using SQS at any volume without losing messages or necessitating the availability of other services.

Impact:

Implementing encryption is strongly advised. When you use AWS SQS queues to send and receive sensitive data messages, you can make the contents of these messages inaccessible to unauthorized or anonymous users.

Steps to reproduce :

  1. Sign in to your AWS Management Console.
  2. Navigate to the SQS dashboard at: https://console.aws.amazon.com/sqs/
  3. Select the SQS queue that you want to examine.
  4. Choose the Encryption tab from the bottom panel and verify the Server-Side Encryption (SSE) configuration for the selected SQS queue.
  5. Repeat steps no. 3-5 for each SQS present in the current region as well as for other regions.

Steps for remediation :


  1. Sign in to your AWS Management Console.
  2. Navigate to the SQS dashboard at: https://console.aws.amazon.com/sqs/
  3. Select the SQS queue that you want to examine.
  4. Choose the Encryption tab from the bottom panel and verify the Server-Side Encryption (SSE) configuration for the selected SQS queue.
  5. Click on Enable.
  6. Select an encryption key from the Customer master key dropdown list.
  7. Click on Save to apply the changes.
  8. Repeat steps no. 3-7 for each SQS present in the current region as well as for other regions.

References: