Skip to main content

More Info:

Amazon SQS queues should enforce Server-Side Encryption (SSE) to protect the contents of their messages. This way contents of your messages will be unavailable to unauthorized or anonymous users.

Risk Level

High

Addresses

Security

Compliance Standards

HIPAA,ISO27001,HITRUST,NISTCSF,SEBI

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration of an SQS Queue not enforcing server-side encryption in AWS using the AWS Management Console, follow these step-by-step instructions:
  1. Sign in to the AWS Management Console:
  2. Navigate to the Amazon SQS service:
    • From the AWS Management Console, search for “SQS” or find the “Simple Queue Service” under the “Messaging” section.
  3. Select the SQS Queue requiring encryption:
    • Click on the SQS Queue that needs to enforce server-side encryption.
  4. Configure Server-Side Encryption:
    • In the SQS Queue details page, click on the “Configure Queue” button.
  5. Enable Server-Side Encryption:
    • Under the “Server-side encryption” section, select the option to enable server-side encryption.
  6. Choose Encryption Key:
    • Choose the Customer Master Key (CMK) from AWS Key Management Service (KMS) that you want to use for encrypting the messages in the SQS Queue.
  7. Save Changes:
    • Click on the “Save Changes” button to apply the server-side encryption configuration to the SQS Queue.
  8. Verify Encryption Configuration:
    • To ensure that server-side encryption is enforced, you can check the SQS Queue settings to confirm that encryption is enabled.
By following these steps, you have successfully enforced server-side encryption for the SQS Queue in AWS using the AWS Management Console. This will help in securing the messages stored in the queue and ensure compliance with security best practices.

To remediate the misconfiguration of SQS Queue not enforcing server-side encryption in AWS using AWS CLI, follow these steps:
  1. List all the existing SQS Queues to identify the one that needs to be remediated:
aws sqs list-queues
  1. Get the attributes of the specific SQS Queue that needs to enforce server-side encryption. Replace queue-url with the URL of the SQS Queue:
aws sqs get-queue-attributes --queue-url <queue-url> --attribute-names All
  1. Enable server-side encryption on the SQS Queue. Replace queue-url with the URL of the SQS Queue:
aws sqs set-queue-attributes --queue-url <queue-url> --attributes KmsMasterKeyId=alias/aws/sqs, KmsDataKeyReusePeriodSeconds=300, KmsDataKeyReusePeriodSeconds=300
  1. Verify that server-side encryption is enabled on the SQS Queue by checking the attributes again:
aws sqs get-queue-attributes --queue-url <queue-url> --attribute-names All
By following these steps, you can successfully remediate the misconfiguration of SQS Queue not enforcing server-side encryption in AWS using AWS CLI.
To enforce server-side encryption for an AWS SQS queue using Python, you can follow these steps:
  1. Import the necessary libraries:
import boto3
  1. Initialize the SQS client:
sqs = boto3.client('sqs')
  1. Get the URL of the SQS queue:
queue_url = 'YOUR_QUEUE_URL'
  1. Update the SQS queue attributes to enable server-side encryption:
response = sqs.set_queue_attributes(
    QueueUrl=queue_url,
    Attributes={
        'KmsMasterKeyId': 'YOUR_KMS_KEY_ID',
        'KmsDataKeyReusePeriodSeconds': '300',  # Optional, specify the data key reuse period
        'Policy': '{"Version": "2012-10-17","Id": "Queue_Policy","Statement": [{"Effect": "Allow","Principal": "*","Action": "SQS:SendMessage","Resource": "YOUR_QUEUE_ARN","Condition": {"StringEquals": {"aws:SourceAccount": "YOUR_ACCOUNT_ID"}}}]}'
    }
)
Replace YOUR_QUEUE_URL, YOUR_KMS_KEY_ID, YOUR_QUEUE_ARN, and YOUR_ACCOUNT_ID with your actual values.
  1. Verify that the server-side encryption is enabled for the SQS queue:
response = sqs.get_queue_attributes(
    QueueUrl=queue_url,
    AttributeNames=['All']
)
print(response['Attributes']['KmsMasterKeyId'])
By following these steps, you can remediate the misconfiguration and enforce server-side encryption for an AWS SQS queue using Python.
I