Use the Conformity Knowledge Base AI to help improve your Cloud Posture

SQS Encrypted With KMS Customer Master Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SQS-005

Ensure that your Amazon Simple Queue Service (SQS) queues are using KMS Customer Master Keys (CMKs) instead of AWS-managed keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over the SQS data encryption/decryption process.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you create and use your own customer-provided Customer Master Keys (CMKs) to protect Amazon SQS data, you gain full control over who can use the keys and access your SQS queue data. The Amazon KMS service allows you to create, rotate, disable, enable, and audit CMK encryption keys for SQS queues.


Audit

To determine if Server-Side Encryption (SSE) with Customer Master Keys (CMKs) is enabled for your Amazon SQS queues, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SQS console at https://console.aws.amazon.com/sqs/.

03 In the main navigation panel, under Amazon SQS, choose Queues.

04 Click on the name (link) of the SQS queue that you want to examine.

05 Select the Encryption tab from the console bottom panel and check the Server-Side Encryption (SSE) feature configuration. If there is no SSE configuration available in this section and the following message is displayed: "No server-side encryption is set for this queue.", Server-Side Encryption with Customer Master Keys is not enabled for the selected Amazon SQS queue. If an SSE configuration is listed in this section, check the CMK alias attribute value. If the CMK alias value is set to alias/aws/sqs, the data managed by the selected Amazon SQS queue is encrypted using the default master key (AWS-managed key) instead of the KMS Customer Master Key (CMK).

06 Repeat steps no. 4 and 5 for each Amazon SQS queue available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-queues command (OSX/Linux/UNIX) to list the URL of each Amazon SQS queue available in the selected AWS cloud region:

aws aws sqs list-queues
  --region us-east-1
  --query 'QueueUrls[*]'

02 The command output should return an array with the requested SQS queue URLs:

[
    "https://sqs.us-east-1.amazonaws.com/123456789012/cc-web-app-worker",
    "https://sqs.us-east-1.amazonaws.com/123456789012/cc-mobile-app-queue"
]

03 Run get-queue-attributes command (OSX/Linux/UNIX) using the URL of the SQS queue that you want to examine as the identifier parameter and custom query filters to determine if Server-Side Encryption (SSE) with Customer Master Keys (CMKs) is enabled for the selected SQS queue:

aws sqs get-queue-attributes
  --region us-east-1
  --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/cc-web-app-worker
  --attribute-names "KmsMasterKeyId"
  --query 'Attributes.KmsMasterKeyId'

04 The command output should return the alias/name of the KMS key used to encrypt the SQS queue data:

"alias/aws/sqs"

If the get-queue-attributes command output returns null, Server-Side Encryption with Customer Master Keys is not enabled for the selected SQS queue. If the command output returns "alias/aws/sqs", as shown in the output example above, the data managed by the selected Amazon SQS queue is encrypted using the default master key (AWS-managed key) instead of the KMS Customer Master Key (CMK).

05 Repeat steps no. 3 and 4 for each Amazon SQS queue available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To use your own KMS Customer Master Key (CMK) for Amazon SQS Server-Side Encryption (SSE), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Use Customer Master Keys for Server-Side Encryption (SSE)",
  "Parameters": {
    "SQSQueueName": {
      "Default": "cc-worker-queue",
      "Description": "SQS Worker Queue",
      "Type": "String",
      "MinLength": "1",
      "MaxLength": "63",
      "AllowedPattern": "^[0-9a-zA-Z-/]*$",
      "ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
    }
  },
  "Resources": {
    "SQSDeadLetterQueue": {
      "Type": "AWS::SQS::Queue"
    },
    "SQSSourceQueue": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "QueueName": {
          "Ref": "SQSQueueName"
        },
        "RedrivePolicy": {
          "deadLetterTargetArn": {
            "Fn::GetAtt": ["SQSDeadLetterQueue", "Arn"]
          },
          "maxReceiveCount": 5
        },
        "KmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd",
        "KmsDataKeyReusePeriodSeconds": 300
      }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Use Customer Master Keys for Server-Side Encryption (SSE)
Parameters:
  SQSQueueName:
    Default: cc-worker-queue
    Description: SQS Worker Queue
    Type: String
    MinLength: '1'
    MaxLength: '63'
    AllowedPattern: ^[0-9a-zA-Z-/]*$
    ConstraintDescription: Must begin with a letter and must not end with a hyphen
      or contain two consecutive hyphens.
Resources:
  SQSDeadLetterQueue:
    Type: AWS::SQS::Queue
  SQSSourceQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: !Ref 'SQSQueueName'
      RedrivePolicy:
        deadLetterTargetArn: !GetAtt 'SQSDeadLetterQueue.Arn'
        maxReceiveCount: 5
      KmsMasterKeyId: arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
      KmsDataKeyReusePeriodSeconds: 300

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}


resource "aws_sqs_queue" "sqs-queue-deadletter" {
  name = "cc-dead-letter-queue"
}

resource "aws_sqs_queue" "sqs-queue" {
  name                  = "sqs-worker-queue"
  redrive_policy = jsonencode({
    deadLetterTargetArn = aws_sqs_queue.sqs-queue-deadletter.arn
    maxReceiveCount     = 5
  })

  # Use Customer Master Keys for Server-Side Encryption (SSE)
  kms_master_key_id                 = "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
  kms_data_key_reuse_period_seconds = 300

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the main navigation panel, under Key Management Service (KMS), select Customer managed keys.

04 Choose the Create Key button from the console top menu to initiate the CMK setup process.

05 For Step 1 Configure key, perform the following actions:

  1. Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
  2. Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
  3. Under Advanced options, for Regionality, select whether to allow the new key to be replicated into other AWS regions.
  4. Choose Next to continue.

06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – optional box. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Next to continue the setup process.

07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.

08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your SQS data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Next to continue.

09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your new Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

10 Navigate to Amazon SQS console at https://console.aws.amazon.com/sqs/.

11 In the main navigation panel, under Amazon SQS, choose Queues.

12 Click on the name (link) of the SQS queue that you want to reconfigure.

13 Select the Encryption tab from the console bottom panel and choose Edit.

14 On the Edit <queue-name> configuration page, select the Encryption – Optional tab and perform the following actions:

  1. Ensure that Enabled is selected under Server-side encryption.
  2. For Encryption key type select AWS Key Management Service key (SSE-KMS). Choose the alias of the KMS CMK created at the previous steps from the Customer master key dropdown list or select Enter the CMK alias and paste your key alias into the CMK alias box.
  3. (Optional) For Data key reuse period, provide a value between 1 minute and 24 hours.
  4. Choose Save to apply the changes.

15 Repeat steps no. 12 – 14 to enable Server-Side Encryption with Customer Master Keys for other Amazon SQS queues available within the current AWS region.

16 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your Amazon SQS data using the KMS API. Create a new policy document (JSON format), name the file sqs-data-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Id": "protected-cmk-policy",
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:root"
          },
          "Action": "kms:*",
          "Resource": "*"
      },
      {
          "Sid": "Allow access for Key Administrators",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
          },
          "Action": [
              "kms:Create*",
              "kms:Describe*",
              "kms:Enable*",
              "kms:List*",
              "kms:Put*",
              "kms:Update*",
              "kms:Revoke*",
              "kms:Disable*",
              "kms:Get*",
              "kms:Delete*",
              "kms:TagResource",
              "kms:UntagResource",
              "kms:ScheduleKeyDeletion",
              "kms:CancelKeyDeletion"
          ],
          "Resource": "*"
      },
      {
          "Sid": "Allow use of the key",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
          },
          "Action": [
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt*",
              "kms:GenerateDataKey*",
              "kms:DescribeKey"
          ],
          "Resource": "*"
      },
      {
          "Sid": "Allow attachment of persistent resources",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
          },
          "Action": [
              "kms:CreateGrant",
              "kms:ListGrants",
              "kms:RevokeGrant"
          ],
          "Resource": "*",
          "Condition": {
              "Bool": {
                  "kms:GrantIsForAWSResource": "true"
              }
          }
      }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. sqs-data-cmk-policy.json) as value for the --policy parameter, to create your new, customer-managed Customer Master Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'Customer Master Key for SQS Queue Data Encryption'
  --policy file://sqs-data-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Master Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/QueueDataCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

05 Define the required parameters for the set-queue-attributes command and save them to a JSON file named cc-sse-kms.json. Replace <kms-cmk-arn> with the ARN of the KMS Customer Master Key (CMK) created at the previous steps:

{
  "KmsMasterKeyId": "<kms-cmk-arn>",
  "KmsDataKeyReusePeriodSeconds": "300"
}

06 Run set-queue-attributes command (OSX/Linux/UNIX) using the URL of the Amazon SQS queue that you want to reconfigure as the identifier parameter and the policy document defined at the previous step (i.e. cc-sse-kms.json), to enable Server-Side Encryption (SSE) with Customer Master Keys (CMKs) for the selected SQS queue (the command does not produce an output):

aws sqs set-queue-attributes
  --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/cc-web-app-worker
  --attributes file://cc-sse-kms.json

07 Repeat steps no. 5 and 6 to enable Server-Side Encryption with Customer Master Keys for other Amazon SQS queues available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Remediation process for other regions.

References

Publication date May 7, 2017