AWS SQS queue should be encrypted
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | HIGH | AWS | DATA, PERMISSION |
Description
Amazon Simple Queue Service (Amazon SQS) offers a secure, durable, and available hosted queue to integrate and decouple distributed software systems and components.
Queue messages should always be encrypted at rest and in transit, to help protect the integrity and confidentiality of message content.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | False | False | True |
Remediation guidelines
Explicitly enable encryption at rest for the SQS queue.
By default, SQS queues created after October 2022 are encrypted at rest with an AWS-managed encryption key. However, it is best practice to be explicit about encryption and security properties rather than relying on defaults. Ensure you are explicitly configuring either Managed SSE or SSE-KMS when creating the queue.
Note that all requests to queues with encryption enabled must use HTTPS and Signature Version 4. To this date, some AWS services which can send notifications to SQS queues are only compatible with encryption for standard queues (and not FIFO queues).
References
Was this page helpful?
