SQS queue has server-side encryption enabled
sqs_queues_server_side_encryption_enabled
Amazon SQS queues are evaluated for server-side encryption configured with a KMS key (SSE-KMS) protecting message bodies at rest.
Queues without an associated KMS key are identified.
Risk
Without KMS-backed SSE, message bodies lack tenant-controlled keys and detailed audit. Secrets, tokens, or PII in messages become easier to access through privilege misuse, misconfiguration, or unintended integrations, reducing confidentiality and limiting containment since you cannot revoke access via key disable/rotation.
prowler aws --checks sqs_queues_server_side_encryption_enabled
Recommendation
Enable SSE-KMS on all queues using a customer-managed KMS key.
- Apply least privilege to key and queue policies; restrict
Encrypt/Decrypt - Enforce key rotation and separation of duties
- Tune data key reuse for security vs. cost
- Monitor key and queue access to support defense in depth
Remediation
aws sqs set-queue-attributes --queue-url <QUEUE_URL> --attributes KmsMasterKeyId=<KMS_KEY_ID_OR_ALIAS>
- In the AWS Console, go to Amazon SQS > Queues
- Select the queue and click Edit
- Expand Encryption
- Set Server-side encryption to Enabled
- For AWS KMS key, select alias/aws/sqs (or choose a specific KMS key)
- Click Save
Source Code
Resource Type
AwsSqsQueue
References
- https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/SQS/queue-encrypted-with-kms-customer-master-keys.html
- https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html