AWS SQS queue should be encrypted

• GG_ID: GG_IAC_0062
• Severity: HIGH
• Complexity: LOW
• Categories: DATA, PERMISSION
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: True

Description

Amazon Simple Queue Service (Amazon SQS) offers a secure, durable, and available hosted queue to integrate and decouple distributed software systems and components.

Queue messages should always be encrypted at rest to protect the data if accesses are compromised.

Impact

Not encrypting data could lead to data leak in case of an attack.

Remediation guidelines

Enable encryption at rest for the SQS queue. Note that all requests to queues with encryption enabled must use HTTPS and Signature Version 4. To this date, some AWS services which can send notifications to SQS queues are only compatible with encryption for standard queues (and not FIFO queues).

External documentation

• Configuring server-side encryption for a queue
• SQS encryption