Severity Framework
Snyk CCSS
Rule category
Data / Encryption in Transit
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-Architected
CIS-Controls
CSA-CCM
GDPR
HIPAA
ISO-27001
NIST-800-53
SOC-2
- Snyk ID SNYK-CC-00020
- credit Snyk Research Team
Description
When using SQS queues to send and receive sensitive data, message payloads should be encrypted using server-side encryption with keys managed in KMS (SSE-KMS). Using SQS owned keys (SSE-SQS) is also an option, but lacks the benefits of using KMS, including viewing key policies, auditing usage, and rotating cryptographic material.
How to fix?
Ensure that the aws_sqs_queue
kms_master_key_id
field is set to the ID of an AWS-managed KMS key or the sqs_managed_sse_enabled
field is set to true
.
Example Configuration
resource "aws_sqs_queue" "example-queue" {
name = "my-example-queue"
kms_master_key_id = "${aws_kms_key.test-key.id}"
kms_data_key_reuse_period_seconds = 300
}
resource "aws_sqs_queue" "example-queue" {
name = "my-example-queue"
sqs_managed_sse_enabled = true
}