(sqs): add SSE queue encryption for SQS
See original GitHub issueDescription
Currently you can only only select the following queue encryptions:
- UNENCRYPTED
- KMS_MANAGED
- KMS
However, via AWS Console you can also select SSE encryption.
Use Case
We use S3 events, that are automatically forwarded to SQS, but that doesn’t work with KMS encryption, but it does with SSE (we tried this via AWS console).
Proposed Solution
Add a new option SSE
to QueueEncryption
:
https://github.com/aws/aws-cdk/blob/29039e8bd13a4fdb7f84254038b3331c179273fd/packages/%40aws-cdk/aws-sqs/lib/queue.ts#L192
Other information
No response
Acknowledge
- I may be able to implement this feature request
- This feature might incur a breaking change
Issue Analytics
- State:
- Created 2 years ago
- Reactions:7
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Configuring server-side encryption (SSE) for a queue (console)
Open the Amazon SQS console at https://console.aws.amazon.com/sqs/ . · In the navigation pane, choose Queues. · Choose a queue, and then choose Edit....
Read more >Support Amazon SQS-managed encryption keys (SSE-SQS ...
Amazon SQS has announced a new Server-Side Encryption method, Amazon SQS-managed encryption keys (SSE-SQS). AWS::SQS::Queue needs to be able to ...
Read more >Using server-side encryption (SSE) - Amazon Simple Queue ...
You can use the Amazon SDK for Java to add server-side encryption (SSE) to an Amazon SQS queue. Each queue uses an Amazon...
Read more >Ensure AWS SQS server side encryption is enabled
Amazon Simple Queue Service (SQS) provides the ability to encrypt queues so sensitive data is passed securely. It uses server-side-encrypyion (SSE) and ...
Read more >managed encryption keys (SSE-SQS) by default - Noise
Configuring SSE-SQS encryption for existing queues vis AWS Management Console · In the navigation pane, choose Queues. · Select a queue, and then ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I’d also like to propose that SSE becomes the default for queues, and that queues that don’t have KMS encryption enabled, get it enabled by default after the rollout.
This affects me because at present, the
deadLetterQueueEnabled
field on AWS Lambda creates an SQS queue. That queue is then not encrypted, which (depending on your use case) could lead to personal data being stored unencrypted at rest.Any Lambda functions that use this behaviour will have their DLQs show up in AWS Security Hub because they don’t have encryption at rest enabled.
Seems to be documented now: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html#cfn-sqs-queue-sqsmanagedsseenabled