How to configure encryption in SQS
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed how to configure dead letter queue in SQS.
https://cloudaffaire.com/how-to-configure-dead-letter-queue-in-sqs/
In this blog post, we will discuss how to configure encryption in SQS.
How to configure encryption in SQS:
AWS SQS supports encryption of messages using Server-Side Encryption (SSE). AWS SQS encrypts the data using AWS Key Management Service (KMS). The message is encrypted as soon as they are sent to an encrypted queue and remains in an encrypted state. Once you enable encryption, all the new messages that are sent to the queue will be encrypted but the existing message will not be encrypted. You can encrypt your queue using AWS managed CMK or custom CMK. When you enable encryption for a queue, you need to provide the KMS CMK’s key id and data key reuse period. A data queue reuse is the length of time, in seconds, for which AWS SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. A message once encrypted will remain in an encrypted state even if you disable encryption in for your queue.
Note: SSE encrypts only the body of the message and not its metadata.
Next, we are going to configure encryption in SQS through AWS CLI.
Prerequisite for this demo:
- AWS SQS FIFO queue.
- AWS CLI configured with required access.
Step 1: Configure AWS CLI.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
## Create an EC2 instance with AWS Linux 2 AMI ## Create a role with admin access and attach to your instance ## Install aws cli and jq package, if not installed already ## Create a script to configure AWS cli vi assume_role.sh ----------------------- ## Replace #!/bin/bash curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ export AWS_ACCESS_KEY_ID=$(cat cred.json| jq .AccessKeyId | xargs) export AWS_SECRET_ACCESS_KEY=$(cat cred.json| jq .SecretAccessKey| xargs) export AWS_SESSION_TOKEN=$(cat cred.json| jq .Token| xargs) export AWS_EXPIRATION=$(cat cred.json| jq .Credentials.Expiration| xargs) rm -f cred.json ------------------------ :wq ## Execute the script chmod +x assume_role.sh sh assume_role.sh ## Check if aws cli working aws sts get-caller-identity |
Step 2: Create a custom CMK key.
|
1 2 3 |
## Create a custom CMK (Customer Master Key) aws kms create-key \ --region ap-south-1 |
Note: SQS will use this key to encrypt the messages. Copy the key id.
Step 3: Query the list of queues available and copy the queue URL.
|
1 2 |
## List the available queue in your region aws sqs list-queues --region ap-south-1 |
Step 4: Configure encryption for your queue.
|
1 2 3 4 5 6 7 8 9 10 11 |
## Configure Encryption with CMK aws sqs set-queue-attributes \ --queue-url --region ap-south-1 \ --attributes '{"KmsMasterKeyId": " ## Get current queue attributes for your FIFO queue aws sqs get-queue-attributes \ --queue-url --region ap-south-1 \ --attribute-names KmsMasterKeyId KmsDataKeyReusePeriodSeconds |
Next, we will send a message to the queue and try to receive it with a un-authorized consumer.
Step 5: Send a message and then try to consume the message from a consumer that doesn’t have access to KMS to decrypt the message.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
## Send a message to your queue aws sqs send-message \ --queue-url --message-body "message one" \ --message-group-id "mymsggrpid1" \ --message-deduplication-id "mymsgddupid1" \ --region ap-south-1 ## Try to receive message aws sqs receive-message \ --queue-url --region ap-south-1 |
Observation: When you send a ReceiveMessage request from and authorized consumer to an encrypted queue, SQS decrypts the message using KMS key id and send the response to the consumer. We have sent a ReceiveMessage request from an unauthorized consumer, hence getting above error.
Hope you have enjoyed this article. In the next blog post, we will discuss monitoring in SQS.
To get more details on AWS SQS, please refer below AWS documentation
https://docs.aws.amazon.com/sqs/index.html