AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
SQS Queue Should Enforce Use CMK For Encryption
More Info:
SQS Queue Should Enforce Use CMK For Encryption
Risk Level
High
Addresses
Security
Compliance Standards
AWSWAF
Triage and Remediation
Remediation
Here are the step-by-step instructions to remediate this issue:
-
Sign in to the AWS Management Console and open the Amazon SQS console at https://console.aws.amazon.com/sqs/.
-
In the navigation pane, choose “Queues”.
-
In the list of queues, choose the name of the queue that you want to encrypt.
-
In the details pane, choose the “Edit” button next to “Queue Attributes”.
-
In the “Encryption section”, choose “Enable” for “Server-side encryption”.
-
For “Customer master key (CMK)”, choose “Use a KMS master key” to use a customer-managed CMK.
-
Click on “Save”.
Please note that these steps will enable encryption for the selected queue and not for the messages in the queue. The messages in the queue need to be encrypted separately.
Also, remember that once you enable server-side encryption (SSE) for a queue, you cannot disable it. The only way to stop using SSE for a queue is to delete the queue and create a new one without SSE.
To remediate this misconfiguration, you need to enforce the use of Customer Managed Key (CMK) for encryption in AWS SQS. Here are the step-by-step instructions using AWS CLI:
Step 1: Install and Configure AWS CLI Before you begin, make sure you have AWS CLI installed on your machine. If not, you can download it from the official AWS CLI website. After installation, configure it with your AWS credentials.
Step 2: Identify the SQS Queue Identify the Amazon SQS queue that is not using a Customer Managed Key (CMK) for server-side encryption. You can list all your SQS queues using the following command:
aws sqs list-queues
Step 3: Create a CMK Create a Customer Managed Key (CMK) using AWS Key Management Service (KMS). To create a CMK, use the following command:
aws kms create-key --description "My CMK key"
Take note of the KeyId in the output as you will need it in the next step.
Step 4: Enable Server-Side Encryption Enable server-side encryption with the CMK for the identified SQS queue. Use the following command:
aws sqs set-queue-attributes --queue-url <your_queue_url> --attributes KmsMasterKeyId=<your_cmk_key_id>,KmsDataKeyReusePeriodSeconds=300
Replace <your_queue_url> with your SQS queue URL and <your_cmk_key_id> with the KeyId of the CMK you created.
After running the command, your SQS queue should now be using a CMK for server-side encryption. You can verify this by using the get-queue-attributes command:
aws sqs get-queue-attributes --queue-url <your_queue_url> --attribute-names KmsMasterKeyId
This should return the KeyId of the CMK you set for the queue. If it matches the KeyId of the CMK you created, then you have successfully remediated the misconfiguration.
To remediate this issue, you’ll need to create a Customer Master Key (CMK) in AWS Key Management Service (KMS) and then use this key to encrypt your SQS queue. Here is how you can do it using Python and AWS SDK Boto3:
-
First, install the necessary Python library, Boto3, if you haven’t already. You can do this using pip:
pip install boto3 -
Import the boto3 library in your Python script:
import boto3 -
Create a new CMK. To do this, you need to initialize the AWS KMS client and then call the
create_keyfunction:kms = boto3.client('kms') key = kms.create_key(Description='key for SQS encryption', KeyUsage='ENCRYPT_DECRYPT', CustomerMasterKeySpec='SYMMETRIC_DEFAULT') key_id = key['KeyMetadata']['KeyId'] -
Now, with the CMK created, you need to use this key to encrypt your SQS queue. First, initialize the SQS client:
sqs = boto3.client('sqs') -
Then, use the
set_queue_attributesfunction to set the KMSMasterKeyId attribute to the ID of the CMK you created:sqs.set_queue_attributes( QueueUrl='URL_OF_YOUR_QUEUE', Attributes={ 'KmsMasterKeyId': key_id, 'KmsDataKeyReusePeriodSeconds': '300' } )Replace ‘URL_OF_YOUR_QUEUE’ with the URL of your SQS queue.
-
Now your SQS queue is encrypted with the CMK.
Remember to replace the placeholders with your actual values. Also, ensure your AWS credentials are properly set up in your environment. You’ll need the necessary permissions to create keys and modify SQS queues.
These steps will encrypt all the new messages in the queue. If you want to encrypt the existing messages, you’ll need to re-send them to the queue.
.