Ensure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE). The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for the encryption/decryption process of SQS messages. There is no additional charge for using SQS Server-Side Encryption, however, there is a charge for using AWS KMS.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you are using AWS SQS queues to send and receive messages that contain sensitive data, it is highly recommended to implement encryption in order to make the contents of these messages unavailable to unauthorized or anonymous users. The encryption and decryption is handled transparently by SQS SSE and does not require any additional action from you or your application.
Audit
To determine if your Amazon SQS queues have the Server-Side Encryption feature enabled, perform the following:
Remediation / Resolution
To enable Server-Side Encryption (SSE) for your existing Amazon SQS queues, perform the following:
References
- AWS Documentation
- Amazon SQS FAQs
- AWS Key Management Service Pricing
- Protecting Data Using Server-Side Encryption (SSE) and AWS KMS
- Configuring Server-Side Encryption (SSE) for an Existing Amazon SQS Queue >
- AWS Command Line Interface (CLI) Documentation
- sqs
- list-queues
- get-queue-attributes
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Queue Server Side Encryption
Risk level: High