Amazon Simple Queue Service (SQS) | Server-Side Encryption (SSE) NEW Flashcards
What happens if I issue a DeleteMessage request on a previously-deleted message?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
When you issue a DeleteMessage request on a previously-deleted message, Amazon SQS returns a success response.
What are the benefits of server-side encryption (SSE) for Amazon SQS?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
Server-side encryption (SSE) lets you transmit sensitive data in encrypted queues. SSE protects the contents of messages in Amazon SQS queues using keys managed in the AWS Key Management Service (AWS KMS). SSE encrypts messages as soon as Amazon SQS receives them. The messages are stored in encrypted form and Amazon SQS decrypts messages only when they are sent to an authorized consumer.
AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud.
The following are benefits of using AWS KMS:
You can create and manage customer master keys (CMKs) yourself.
You can also use the AWS-managed CMK for Amazon SQS, which is unique for each account and region.
The AWS KMS security standards can help you meet encryption-related compliance requirements.
For more information, see the following resources:
Protecting Data Using Server-Side Encryption (SSE) and AWS KMS in the Amazon SQS Developer Guide
What is AWS Key Management Service? in the AWS KMS Developer Guide
The AWS Key Management Service Cryptographic Details whitepaper
What regions are queues with SSE available in?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
SSE for Amazon SQS is available in the US East (N. Virginia and Ohio) and US West (Oregon) regions. This feature will be available in more regions over the coming months.
How do I enable SSE for a new or existing Amazon SQS queue?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
To enable SSE for a new or existing queue using the Amazon SQS API, specify the customer master key (CMK) ID: the alias, alias ARN, key ID, or key ARN of the an AWS-managed CMK or a custom CMK by setting the KmsMasterKeyId attribute of the CreateQueue or SetQueueAttributes action.
For detailed instructions, see Creating an Amazon SQS Queue with Server-Side Encryption and Configuring Server-Side Encryption (SSE) for an Existing Amazon SQS Queue in the Amazon SQS Developer Guide.
What Amazon SQS queue types can use SSE?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
Both standard and FIFO queues support SSE.
What permissions do I need to use SSE with Amazon SQS?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
Before you can use SSE, you must configure AWS KMS key policies to allow encryption of queues and encryption and decryption of messages.
To enable SSE for a queue, you can use the AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK. For more information, see Customer Master Keys in the AWS KMS Developer Guide.
To send messages to an encrypted queue, the producer must have the kms:GenerateDataKey and kms:Decrypt permissions for the CMK.
To receive messages from an encrypted queue, the consumer must have the kms:Decrypt permission for any CMK that is used to encrypt the messages in the specified queue. If the queue acts as a dead letter queue, the consumer must also have the kms:Decrypt permission for any CMK that is used to encrypt the messages in the source queue.
For more information, see What Permissions Do I Need to Use SSE? in the Amazon SQS Developer Guide.
Are there any charges for using SSE with Amazon SQS?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
There are no additional Amazon SQS charges. However, there are charges for calls from Amazon SQS to AWS KMS. For more information, see AWS Key Management Service Pricing.
The charges for using AWS KMS depend on the data key reuse period configured for your queues. For more information, see How Do I Estimate My AWS KMS Usage Costs? in the Amazon SQS Developer Guide.
What does SSE for Amazon SQS encrypt and how is it encrypted?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
SSE encrypts the body of a message in an Amazon SQS queue.
SSE doesn’t encrypt the following components:
Queue metadata (queue name and attributes)
Message metadata (message ID, timestamp, and attributes)
Per-queue metrics
Amazon SQS generates data keys based on the AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK to provide envelope encryption and decryption of messages for a configurable time period (from 1 minute to 24 hours).
What algorithm does SSE for Amazon SQS use to encrypt messages?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
SSE uses the AES-GCM 256 algorithm.
Does SSE interfere with the functioning of Amazon SQS?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
Encrypting a message makes its contents unavailable to unauthorized or anonymous users. Encrypting messages doesn’t affect the normal functioning of Amazon SQS:
A message is encrypted only if it is sent after the encryption of a queue is enabled. Amazon SQS doesn’t encrypt backlogged messages.
Any encrypted message remains encrypted even if the encryption of its queue is disabled.
How do encrypted Amazon SQS queues coexist with non-encrypted queues and with dead letter queues?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
Moving a message to a dead letter queue does not affect its encryption:
If you move a message from an encrypted source queue to a unencrypted dead letter queue, the message remains encrypted.
If you move a message from a unencrypted source queue to an encrypted dead letter queue, the message remains unencrypted.
Does SSE limit the transactions per second (TPS) or number of queues that can be created with Amazon SQS?
Server-Side Encryption (SSE) NEW
Amazon Simple Queue Service (SQS) | Application Integration
SSE doesn’t limit the throughput (TPS) of Amazon SQS. The number of SSE queues that you can create is limited by the following:
The data key reuse period (1 minute to 24 hours).
The AWS KMS per-account limit (100 TPS by default).
The number of IAM users or accounts that access queues.
The existence of a large backlog (a larger backlog requires more AWS KMS calls).
For example, let’s assume the following limits:
You set your data key reuse period to 5 minutes (300 seconds).
Your KMS account has a default AWS KMS TPS limit of 100 TPS.
You use an Amazon SQS queue without a backlog and with 1 IAM user for SendMessage or ReceiveMessage actions to all queues.
In this case, you can calculate the theoretical maximum of Amazon SQS queues with SSE as follows:
300 seconds × 100 TPS / 1 IAM user = 30,000 queues
