AWS SQS Queue Encryption Using Default KMS Key Instead Of CMK

This policy identifies SQS queues which are encrypted with default KMS keys and not with Customer Master Keys(CMKs). It is a best practice to use customer managed Master Keys to encrypt your SQS queue messages. It gives you full control over the encrypted messages data.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

AWS SQS queue encryption using default KMS key instead of CMK.
JSON Query:
$.Resources.*[?(@.Type == 'AWS::SQS::Queue')].Properties.KmsMasterKeyId contains alias/aws/sqs
Recommended solution encrypting SQS queue with CMK instead of default KMS.
It is recommended SQS queue encryption is done using CMK instead of default KMS key. Please make sure that "KmsMasterKeyId" contains "alias/aws/sqs" value.
For example:
"foobar2": { "Type": "AWS::SQS::Queue", "Properties": { "ContentBasedDeduplication": true, "KmsMasterKeyId": "alias/aws/cmk" } }

Run Rule Recommendation

  1. Sign in to the AWS console.
  2. Select the region, from the region drop-down, in which the alert is generated.
  3. Navigate to Simple Queue Service (SQS) dashboard.
  4. Choose the reported Simple Queue Service (SQS).
  5. Click on 'Queue Actions' and Choose 'Configure Queue' from the dropdown.
  6. On 'Configure' popup, Under 'Server-Side Encryption (SSE) Settings' section; Choose an 'AWS KMS Customer Master Key (CMK)' from the drop-down list or copy existing key ARN instead of (Default) alias/aws/sqs key.
  7. Click on 'Save Changes'.


There are 2 standards that are applicable to this policy:
  • CCPA 2018

Recommended For You