🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 1 Amazon SQS queues should be encrypted at rest

Description

This control checks whether Amazon SQS queues are encrypted at rest.

Server-side encryption (SSE) allows you to transmit sensitive data in encrypted queues. To protect the content of messages in queues, SSE uses keys managed in AWS KMS. For more information, see Encryption at rest in the Amazon Simple Queue Service Developer Guide.

Remediation

For information about managing SSE using the AWS Management Console, see Configuring server-side encryption (SSE) for a queue (console) in the Amazon Simple Queue Service Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_sqs_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_sqs_1 --share

SQL

This control uses a named query:

select
  queue_arn as resource,
  case
    when sqs_managed_sse_enabled then 'ok'
    when kms_master_key_id is null then 'alarm'
    else 'ok'
  end as status,
  case
    when sqs_managed_sse_enabled then  title || ' secured with managed SQS-SSE.'
    when kms_master_key_id is null then title || ' encryption at rest disabled.'
    else title || ' encryption at rest enabled.'
  end as reason
  
  , region, account_id
from
  aws_sqs_queue;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_at_rest
foundational_security_item_id = sqs_1
plugin = aws
service = AWS/SQS