AWS SQS queue should be encrypted
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | AWS | DATA, PERMISSION |
Description
Amazon Simple Queue Service (Amazon SQS) offers a secure, durable, and available hosted queue to integrate and decouple distributed software systems and components.
Queue messages should always be encrypted at rest and in transit, to help protect the integrity and confidentiality of message content.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | True |
Not encrypting data could lead to data leak.
Remediation guidelines
Explicitly enable encryption at rest for the SQS queue.
By default, SQS queues created after October 2022 are encrypted at rest with an AWS-managed encryption key. However, it is best practice to be explicit about encryption and security properties rather than relying on defaults. Ensure you are explicitly configuring either Managed SSE or SSE-KMS when creating the queue.
Note that all requests to queues with encryption enabled must use HTTPS and Signature Version 4. To this date, some AWS services which can send notifications to SQS queues are only compatible with encryption for standard queues (and not FIFO queues).