Skip to content

(sqs): add SSE queue encryption for SQS #17770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 tasks
blockvote opened this issue Nov 30, 2021 · 7 comments · Fixed by #21591
Closed
2 tasks

(sqs): add SSE queue encryption for SQS #17770

blockvote opened this issue Nov 30, 2021 · 7 comments · Fixed by #21591
Labels
@aws-cdk/aws-sqs Related to Amazon Simple Queue Service effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p1

Comments

@blockvote
Copy link

Description

Currently you can only only select the following queue encryptions:

  • UNENCRYPTED
  • KMS_MANAGED
  • KMS

However, via AWS Console you can also select SSE encryption.

Use Case

We use S3 events, that are automatically forwarded to SQS, but that doesn't work with KMS encryption, but it does with SSE (we tried this via AWS console).

Proposed Solution

Add a new option SSE to QueueEncryption:

aws-cdk/packages/@aws-cdk/aws-sqs/lib/queue.ts

Line 192 in 29039e8

export enum QueueEncryption {

Other information

No response

Acknowledge

  • I may be able to implement this feature request
  • This feature might incur a breaking change
@blockvote blockvote added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 30, 2021
@github-actions github-actions bot added the @aws-cdk/aws-sqs Related to Amazon Simple Queue Service label Nov 30, 2021
@jumic
Copy link
Contributor

jumic commented Nov 30, 2021

I checked the documentation. This feature is currently not supported by CloudFormation.
A feature request already exists: aws-cloudformation/cloudformation-coverage-roadmap#989

@njlynch njlynch added needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Dec 7, 2021
@njlynch njlynch removed their assignment Dec 7, 2021
@njlynch
Copy link
Contributor

njlynch commented Dec 7, 2021

Thanks for the feature request, @blockvote , and the link to the CloudFormation tracker @jumic!

@a-h
Copy link

a-h commented Feb 28, 2022
edited
Loading

I'd also like to propose that SSE becomes the default for queues, and that queues that don't have KMS encryption enabled, get it enabled by default after the rollout.

This affects me because at present, the deadLetterQueueEnabled field on AWS Lambda creates an SQS queue. That queue is then not encrypted, which (depending on your use case) could lead to personal data being stored unencrypted at rest.

Any Lambda functions that use this behaviour will have their DLQs show up in AWS Security Hub because they don't have encryption at rest enabled.

@a-h
Copy link

a-h commented Jul 20, 2022

I notice that the underlying CloudFormation support appears to be in place now (see comment), but (at time of writing) that the CloudFormation documentation hasn't been updated to reflect this, and the issue hasn't been commented on by the CloudFormation team.

aws-cloudformation/cloudformation-coverage-roadmap#989 (comment)

I assume that means we can't proceed until there's clarity. Perhaps internal to AWS there's a process for nudging this along? It looks like a zombie feature at the moment.

@jumic
Copy link
Contributor

jumic commented Aug 2, 2022

@otaviomacedo I'm not sure, if somebody from the CDK team has read @a-h's reply.
Do you have an internal contact to the CloudFormation/SQS team? If yes, maybe you can ask them to update the documentation. It looks like the feature is available now.

@jumic jumic mentioned this issue Aug 13, 2022
Merged
4 tasks
@kurtismash kurtismash mentioned this issue Sep 20, 2022
Closed
@danilobuerger
Copy link
Contributor

Seems to be documented now: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html#cfn-sqs-queue-sqsmanagedsseenabled

@mergify mergify bot closed this as completed in #21591 Sep 30, 2022
mergify bot pushed a commit that referenced this issue Sep 30, 2022
@jumic
feat(sqs): add SQS managed server side encryption (#21591)

Verified

This commit was signed with the committer’s verified signature.
bagder Daniel Stenberg
GPG key ID: 5CC908FDB71E12C2
Verified
Learn about vigilant mode
fa137eb 
Add [SQS managed server side encryption](https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-sqs-server-side-encryption-keys-sse/) for SQS queues.

The implementation uses the new CloudFormation attribute `SqsManagedSseEnabled` ([CloudFormation documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html#cfn-sqs-queue-sqsmanagedsseenabled)).

Closes #17770.

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link
Contributor

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

arewa pushed a commit to arewa/aws-cdk that referenced this issue Oct 8, 2022
@jumic @arewa
feat(sqs): add SQS managed server side encryption (aws#21591)
da54e7d 
Add [SQS managed server side encryption](https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-sqs-server-side-encryption-keys-sse/) for SQS queues.

The implementation uses the new CloudFormation attribute `SqsManagedSseEnabled` ([CloudFormation documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html#cfn-sqs-queue-sqsmanagedsseenabled)).

Closes aws#17770.

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
homakk pushed a commit to homakk/aws-cdk that referenced this issue Dec 1, 2022
@jumic @madeline-k
feat(sqs): add SQS managed server side encryption (aws#21591)
90a00c7 
Add [SQS managed server side encryption](https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-sqs-server-side-encryption-keys-sse/) for SQS queues.

The implementation uses the new CloudFormation attribute `SqsManagedSseEnabled` ([CloudFormation documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html#cfn-sqs-queue-sqsmanagedsseenabled)).

Closes aws#17770.

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-sqs Related to Amazon Simple Queue Service effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(sqs): add SQS managed server side encryption jumic/aws-cdk
5 participants
@danilobuerger @a-h @njlynch @jumic @blockvote