It is highly recommended to implement data encryption for messages containing sensitive data that are sent and received using Amazon SQS queues. This is to prevent unauthorized or anonymous users from accessing the message contents. To enable encryption, Amazon SQS provides the Server-Side Encryption (SSE) feature, which handles encryption and decryption transparently without requiring additional action from you or your application. To ensure protection of message contents, enable Server-Side Encryption (SSE) for your Amazon Simple Queue Service (SQS) queues. SQS uses a KMS Customer Master Key (CMK) to generate the data keys required for the encryption and decryption process of SQS messages. Using SQS Server-Side Encryption does not incur additional charges, however, there is a charge for using Amazon KMS.


Here are the remediation steps to ensure that encryption is enabled for Amazon SQS queues:

  1. Open the Amazon SQS console.
  2. Select the SQS queue for which you want to enable encryption.
  3. Click on "Configure Queue" in the "Queue Actions" drop-down menu.
  4. In the "Encryption" section, select "Enable encryption".
  5. Choose the KMS key to use for encryption, or create a new one if needed.
  6. Click "Save changes" to enable encryption for the selected SQS queue.

You can also use AWS CLI or SDKs to enable encryption for SQS queues.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.