CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00020
- creditSnyk Research Team
Description
When using SQS queues to send and receive sensitive data, message payloads should be encrypted using server-side encryption with keys managed in KMS (SSE-KMS). Using SQS owned keys (SSE-SQS) is also an option, but lacks the benefits of using KMS, including viewing key policies, auditing usage, and rotating cryptographic material.
How to fix?
Ensure that the aws_sqs_queue kms_master_key_id field is set to the ID of an AWS-managed KMS key or the sqs_managed_sse_enabled field is set to true.
Example configuration:
resource "aws_sqs_queue" "example-queue" {
name = "my-example-queue"
kms_master_key_id = "${aws_kms_key.test-key.id}"
kms_data_key_reuse_period_seconds = 300
}
resource "aws_sqs_queue" "example-queue" {
name = "my-example-queue"
sqs_managed_sse_enabled = true
}
Set Properties.KmsMasterKeyId attribute to KMS key, for example alias/aws/sqs, or set SqsManagedSseEnabled to true.