Amazon SQS queues should be encrypted to protect sensitive message data at rest.

Why is this an issue?

Amazon Simple Queue Service (SQS) is a managed message queuing service for application-to-application communication. SQS can store messages encrypted as soon as they are received. This rule raises an issue when an SQS queue is created with encryption explicitly disabled.

What is the potential impact?

If an adversary gains physical access to the storage medium or otherwise reads a message from the file system, for example through a vulnerability in the service, they can access the data. This could result in the exposure of sensitive information such as personal data, credentials, or business-critical messages.

How to fix it

Code examples

Encryption and decryption are handled transparently by SQS, so no further modifications to the application are necessary.

Noncompliant code example

For AWS::SQS::Queue:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Queue:
    Type: AWS::SQS::Queue
    Properties:
      DisplayName: "unencrypted_queue"
      SqsManagedSseEnabled: false # Noncompliant, encryption disabled

Compliant solution

For AWS::SQS::Queue:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Queue:
    Type: AWS::SQS::Queue
    Properties:
      DisplayName: "encrypted_queue"
      SqsManagedSseEnabled: true

Resources

Documentation

• AWS Documentation - Encryption at rest

Standards

• CWE - CWE-311 - Missing Encryption of Sensitive Data
• STIG Viewer - Application Security and Development: V-222588 - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest.