Ensure that your Amazon Simple Queue Service (SQS) queues are using KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the queues data encryption/decryption process.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you create and use your own KMS CMK customer-managed keys to protect the contents of your SQS queue messages, you obtain full control over who can use the CMK keys and access the data encrypted within queue messages. The AWS KMS service allows you to create, rotate, disable, enable, and audit your Customer Master Keys (CMKs) for Amazon SQS.
Note: As of May 2017, Server-Side Encryption (SSE) with KMS CMK for AWS SQS is available only in the US East (Ohio) and US West (Oregon) regions.
To determine if AWS KMS CMK customer-managed keys are used for your SQS queues data encryption as opposed to default keys, perform the following:
Remediation / Resolution
To use your own Amazon KMS CMK customer-managed keys for SQS queues Server-Side Encryption (SSE), perform the following commands:
- AWS Documentation
- Amazon SQS FAQs
- Protecting Data Using Server-Side Encryption (SSE) and AWS KMS
- Configuring Server-Side Encryption (SSE) for an Existing Amazon SQS Queue
- Creating Keys >
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
SQS Encrypted With KMS Customer Master Keys
Risk level: High