Menu
Amazon Simple Queue Service
Developer Guide

Tutorial: Configuring Server-Side Encryption (SSE) for an Existing Amazon SQS Queue

Server-side encryption (SSE) for Amazon SQS is available in the US East (N. Virginia), US East (Ohio), and US West (Oregon) regions. You can enable SSE for a queue to protect its data. For more information about using SSE, see Protecting Data Using Server-Side Encryption (SSE) and AWS KMS .

Important

All requests to queues with SSE enabled must use HTTPS and Signature Version 4.

When you disable SSE, messages remain encrypted. You must receive and decrypt a message to view its contents.

The following example demonstrates enabling, disabling, and configuring SSE for an existing Amazon SQS queue.

AWS Management Console

  1. Sign in to the Amazon SQS console.

  2. From the queue list, select a queue.

  3. From Queue Actions, select Configure Queue.

    The Configure QueueName dialog box is displayed.

  4. To enable or disable SSE, use the Use SSE check box.

  5. Specify the customer master key (CMK) ID. For more information, see Key Terms.

    For each CMK type, the Description, Account, and Key ARN of the CMK are displayed.

    Important

    If you aren't the owner of the CMK, or if you log in with an account that doesn't have the kms:ListAliases and kms:DescribeKey permissions, you won't be able to view information about the CMK on the Amazon SQS console.

    Ask the owner of the CMK to grant you these permissions. For more information, see the AWS KMS API Permissions: Actions and Resources Reference in the AWS Key Management Service Developer Guide.

    • To use the AWS-managed CMK for Amazon SQS, select it from the list.

      Note

      Keep the following in mind:

      • If you don't specify a custom CMK, Amazon SQS uses the AWS-managed CMK for Amazon SQS. For instructions on creating custom CMKs, see Creating Keys in the AWS Key Management Service Developer Guide.

      • The first time you use the AWS Management Console to specify the AWS-managed CMK for Amazon SQS for a queue, AWS KMS creates the AWS-managed CMK for Amazon SQS.

      • Alternatively, the first time you use the SendMessage or SendMessageBatch API action on a queue with SSE enabled, AWS KMS creates the AWS-managed CMK for Amazon SQS.

    • To use a custom CMK from your AWS account, select it from the list.

      Note

      For instructions on creating custom CMKs, see Creating Keys in the AWS Key Management Service Developer Guide.

    • To use a custom CMK ARN from your AWS account or from another AWS account, select Enter an existing CMK ARN from the list and type or copy the CMK.

  6. (Optional) For Data key reuse period, specify a value between 1 minute and 24 hours. The default is 5 minutes. For more information, see How Does the Data Key Reuse Period Work?.

  7. Choose Save Changes.

    Your changes are applied to the queue.

Java

Before you begin working with the example code, specify your AWS credentials. For more information, see Set up AWS Credentials and Region for Development in the AWS SDK for Java Developer Guide.

Before you can use SSE, you must configure AWS KMS key policies to allow encryption of queues and encryption and decryption of messages. You must also ensure that the key policies of the customer master key (CMK) allow the necessary permissions. For more information, see What Permissions Do I Need to Use SSE?.

  1. Obtain the customer master key (CMK) ID. For more information, see Key Terms.

    Note

    Keep the following in mind:

    • If you don't specify a custom CMK, Amazon SQS uses the AWS-managed CMK for Amazon SQS. For instructions on creating custom CMKs, see Creating Keys in the AWS Key Management Service Developer Guide.

    • The first time you use the AWS Management Console to specify the AWS-managed CMK for Amazon SQS for a queue, AWS KMS creates the AWS-managed CMK for Amazon SQS.

    • Alternatively, the first time you use the SendMessage or SendMessageBatch API action on a queue with SSE enabled, AWS KMS creates the AWS-managed CMK for Amazon SQS.

  2. To enable server-side encryption, specify the CMK ID by setting the KmsMasterKeyId attribute of the CreateQueue or SetQueueAttributes action.

    The following code example enables SSE for an existing queue using the AWS-managed CMK for Amazon SQS:

    Copy
    SetQueueAttributesRequest setAttributesRequest = new SetQueueAttributesRequest(); setAttributesRequest.setQueueUrl(queueUrl); // Enable server-side encryption by specifying the alias ARN of the // AWS-managed CMK for Amazon SQS. String kmsMasterKeyAlias = "arn:aws:kms:us-east-2:123456789012:alias/aws/sqs"; attributes.put("KmsMasterKeyId", kmsMasterKeyAlias); SetQueueAttributesResult setAttributesResult = client.setQueueAttributes(setAttributesRequest);

    To disable server-side encryption for an existing queue, set the KmsMasterKeyId attribute to an empty string using the SetQueueAttributes action.

    Important

    null is not a valid value for KmsMasterKeyId.

  3. (Optional) Specify the length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS. Set the KmsDataKeyReusePeriodSeconds attribute of the CreateQueue or SetQueueAttributes action. Possible values may be between 60 seconds (1 minute) and 86,400 seconds (24 hours). If you don't specify a value, the default value of 300 seconds (5 minutes) is used.

    The following code example sets the data key reuse period to 60 seconds (1 minute):

    Copy
    // (Optional) Specify the length of time, in seconds, for which Amazon SQS can reuse // a data key to encrypt or decrypt messages before calling AWS KMS again. attributes.put("KmsDataKeyReusePeriodSeconds", "60");

For information about how to retrieve the attributes of a queue, see Examples in the Amazon Simple Queue Service API Reference.

To retrieve the CMK ID or the data key reuse period for a particular queue, use the KmsMasterKeyId and KmsDataKeyReusePeriodSeconds attributes of the GetQueueAttributes action.

For information about how to switch a queue to a different CMK with the same alias, see Updating an Alias in the AWS Key Management Service Developer Guide.