[SQS.1]
Amazon SQS queues should be encrypted at rest
Description
All SQS queries must be encrypted at rest using AWS Key Management Service. By encrypting data, You minimize the risk of data being accessed by an unauthorized entity. This rule is COMPLIANT when SQS queries are encrypted at rest.
Details
| Property | Value |
|---|---|
| Category | Protect > Data protection > Encryption of data at rest |
| Compliance Control ID | SQS.1 |
| FortifyFox ID | FF100025 |
| Link | SQS.1 Compliance |
| Resource Type(s) | AWS::SQS::Queue |
| Severity | Medium |
| Parameters | KmsMasterKeyId |
| Value | String (ID of an AWS KMS key) |
Remediation
Use the following CloudFormation templates to deploy an SQS queue compliant with SQS.1
YAML Template
Resources:
kmsKey:
Type: 'AWS::KMS::Key'
Properties:
Enabled: true
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Enable IAM User Permissions"
Effect: "Allow"
Principal:
AWS:
Fn::Join:
- ""
-
- "arn:aws:iam::"
- Ref: "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
sqsQueue:
Type: AWS::SQS::Queue
Properties:
KmsMasterKeyId: !Ref kmsKey
JSON Template
{
"Resources": {
"kmsKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": true,
"KeyPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"sqsQueue": {
"Type": "AWS::SNS::Queue",
"Properties": {
"KmsMasterKeyId": {
"Ref": "kmsKey"
}
}
}
}
}
📓 Notes
- If you already have a KMS key, you can skip the kmsKey resource and replace kmsKey with the ID of your key.