You are currently viewing How To Configure Encryption In SQS

How To Configure Encryption In SQS

How to configure encryption in SQS

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have discussed how to configure dead letter queue in SQS.

In this blog post, we will discuss how to configure encryption in SQS.

How to configure encryption in SQS:

AWS SQS supports encryption of messages using Server-Side Encryption (SSE). AWS SQS encrypts the data using AWS Key Management Service (KMS). The message is encrypted as soon as they are sent to an encrypted queue and remains in an encrypted state. Once you enable encryption, all the new messages that are sent to the queue will be encrypted but the existing message will not be encrypted. You can encrypt your queue using AWS managed CMK or custom CMK. When you enable encryption for a queue, you need to provide the KMS CMK’s key id and data key reuse period. A data queue reuse is the length of time, in seconds, for which AWS SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. A message once encrypted will remain in an encrypted state even if you disable encryption in for your queue.

Note: SSE encrypts only the body of the message and not its metadata.

Next, we are going to configure encryption in SQS through AWS CLI.

Prerequisite for this demo:

  • AWS SQS FIFO queue.
  • AWS CLI configured with required access.

Step 1: Configure AWS CLI.

Step 2: Create a custom CMK key.

How To Configure Encryption In SQS

Note: SQS will use this key to encrypt the messages. Copy the key id.

Step 3: Query the list of queues available and copy the queue URL.

Step 4: Configure encryption for your queue.

How To Configure Encryption In SQS

Next, we will send a message to the queue and try to receive it with a un-authorized consumer.

Step 5: Send a message and then try to consume the message from a consumer that doesn’t have access to KMS to decrypt the message.

How To Configure Encryption In SQS

Observation: When you send a ReceiveMessage request from and authorized consumer to an encrypted queue, SQS decrypts the message using KMS key id and send the response to the consumer. We have sent a ReceiveMessage request from an unauthorized consumer, hence getting above error.

Hope you have enjoyed this article. In the next blog post, we will discuss monitoring in SQS.

To get more details on AWS SQS, please refer below AWS documentation


Leave a Reply