AWS SQS Queue Encryption Using Default KMS Key Instead Of CMK
This policy identifies SQS queues which are encrypted with default KMS keys and not with Customer Master Keys(CMKs). It is a best practice to use customer managed Master Keys to encrypt your SQS queue messages. It gives you full control over the encrypted messages data.
Select the region, from the region drop-down, in which the alert is generated.
Navigate to Simple Queue Service (SQS) dashboard.
Choose the reported Simple Queue Service (SQS).
Click on 'Queue Actions' and Choose 'Configure Queue' from the dropdown.
On 'Configure' popup, Under 'Server-Side Encryption (SSE) Settings' section; Choose an 'AWS KMS Customer Master Key (CMK)' from the drop-down list or copy existing key ARN instead of (Default) alias/aws/sqs key.
Click on 'Save Changes'.
There are 2 standards that are applicable to this policy: