Menu
Amazon Simple Queue Service
Developer Guide

Tutorial: Creating an Amazon SQS Queue with Server-Side Encryption

Server-side encryption (SSE) for Amazon SQS is available in the US East (N. Virginia), US East (Ohio), and US West (Oregon) regions. You can enable server-side encryption (SSE) for a queue to protect its data. For more information about using SSE, see Protecting Data Using Server-Side Encryption (SSE) and AWS KMS .

Important

All requests to queues with SSE enabled must use HTTPS and Signature Version 4.

The following example demonstrates how to create an Amazon SQS queue with SSE enabled. Although the example uses a FIFO queue, SSE works with both standard and FIFO queues.

AWS Management Console

  1. Sign in to the AWS Management Console and open the Amazon SQS console at https://console.aws.amazon.com/sqs/.

  2. Choose Create New Queue.

  3. On the Create New Queue page, ensure that you're in the correct region and then type the Queue Name.

    Note

    The name of a FIFO queue must end with the .fifo suffix. FIFO queues are available in the US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland) regions.

  4. Standard is selected by default. Choose FIFO.

  5. Choose Configure Queue, and then choose Use SSE.

  6. Specify the customer master key (CMK) ID. For more information, see Key Terms.

    For each CMK type, the Description, Account, and Key ARN of the CMK are displayed.

    Important

    If you aren't the owner of the CMK, or if you log in with an account that doesn't have the kms:ListAliases and kms:DescribeKey permissions, you won't be able to view information about the CMK on the Amazon SQS console.

    Ask the owner of the CMK to grant you these permissions. For more information, see the AWS KMS API Permissions: Actions and Resources Reference in the AWS Key Management Service Developer Guide.

    • The AWS-managed CMK for Amazon SQS is selected by default.

      Note

      Keep the following in mind:

      • If you don't specify a custom CMK, Amazon SQS uses the AWS-managed CMK for Amazon SQS. For instructions on creating custom CMKs, see Creating Keys in the AWS Key Management Service Developer Guide.

      • The first time you use the AWS Management Console to specify the AWS-managed CMK for Amazon SQS for a queue, AWS KMS creates the AWS-managed CMK for Amazon SQS.

      • Alternatively, the first time you use the SendMessage or SendMessageBatch API action on a queue with SSE enabled, AWS KMS creates the AWS-managed CMK for Amazon SQS.

    • To use a custom CMK from your AWS account, select it from the list.

      Note

      For instructions on creating custom CMKs, see Creating Keys in the AWS Key Management Service Developer Guide.

    • To use a custom CMK ARN from your AWS account or from another AWS account, select Enter an existing CMK ARN from the list and type or copy the CMK.

  7. (Optional) For Data key reuse period, specify a value between 1 minute and 24 hours. The default is 5 minutes. For more information, see How Does the Data Key Reuse Period Work?.

  8. Choose Create Queue.

    Your new queue is created with SSE. The encryption status, alias of the CMK, Description, Account, Key ARN, and the Data Key Reuse Period are displayed on the Encryption tab.

Java

Before you begin working with the example code, specify your AWS credentials. For more information, see Set up AWS Credentials and Region for Development in the AWS SDK for Java Developer Guide.

Before you can use SSE, you must configure AWS KMS key policies to allow encryption of queues and encryption and decryption of messages. You must also ensure that the key policies of the customer master key (CMK) allow the necessary permissions. For more information, see What Permissions Do I Need to Use SSE?.

  1. Obtain the customer master key (CMK) ID. For more information, see Key Terms.

    Note

    Keep the following in mind:

    • If you don't specify a custom CMK, Amazon SQS uses the AWS-managed CMK for Amazon SQS. For instructions on creating custom CMKs, see Creating Keys in the AWS Key Management Service Developer Guide.

    • The first time you use the AWS Management Console to specify the AWS-managed CMK for Amazon SQS for a queue, AWS KMS creates the AWS-managed CMK for Amazon SQS.

    • Alternatively, the first time you use the SendMessage or SendMessageBatch API action on a queue with SSE enabled, AWS KMS creates the AWS-managed CMK for Amazon SQS.

  2. To enable server-side encryption, specify the CMK ID by setting the KmsMasterKeyId attribute of the CreateQueue or SetQueueAttributes action.

    The following code example creates a new queue with SSE using the AWS-managed CMK for Amazon SQS:

    Copy
    AmazonSQSClient client = new AmazonSQSClient(credentialsProvider); CreateQueueRequest createRequest = new CreateQueueRequest("MyQueue"); Map<String, String> attributes = new HashMap<String, String>(); // Enable server-side encryption by specifying the alias ARN of the // AWS-managed CMK for Amazon SQS. String kmsMasterKeyAlias = "arn:aws:kms:us-east-2:123456789012:alias/aws/sqs"; attributes.put("KmsMasterKeyId", kmsMasterKeyAlias); // (Optional) Specify the length of time, in seconds, for which Amazon SQS can reuse attributes.put("KmsDataKeyReusePeriodSeconds", "60"); CreateQueueResult createResult = client.createQueue(createRequest);

    The following code example creates a new queue with SSE using a custom CMK:

    Copy
    AmazonSQSClient client = new AmazonSQSClient(credentialsProvider); CreateQueueRequest createRequest = new CreateQueueRequest("MyQueue"); Map<String, String> attributes = new HashMap<String, String>(); // Enable server-side encryption by specifying the alias ARN of the custom CMK. String kmsMasterKeyAlias = "arn:aws:kms:us-east-2:123456789012:alias/MyAlias"; attributes.put("KmsMasterKeyId", kmsMasterKeyAlias); // (Optional) Specify the length of time, in seconds, for which Amazon SQS can reuse // a data key to encrypt or decrypt messages before calling AWS KMS again. attributes.put("KmsDataKeyReusePeriodSeconds", "864000"); CreateQueueResult createResult = client.createQueue(createRequest);
  3. (Optional) Specify the length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. Set the KmsDataKeyReusePeriodSeconds attribute of the CreateQueue or SetQueueAttributes action. Possible values may be between 60 seconds (1 minute) and 86,400 seconds (24 hours). If you don't specify a value, the default value of 300 seconds (5 minutes) is used.

    The first code example above sets the data key reuse time period to 60 seconds (1 minute). The second code example sets it to 86,400 seconds (24 hours). The following code example sets the data key reuse period to 60 seconds (1 minute):

    Copy
    // (Optional) Specify the length of time, in seconds, for which Amazon SQS can reuse // a data key to encrypt or decrypt messages before calling AWS KMS again. attributes.put("KmsDataKeyReusePeriodSeconds", "60");

For information about how to retrieve the attributes of a queue, see Examples in the Amazon Simple Queue Service API Reference.

To retrieve the CMK ID or the data key reuse period for a particular queue, use the KmsMasterKeyId and KmsDataKeyReusePeriodSeconds attributes of the GetQueueAttributes action.

For information about how to switch a queue to a different CMK with the same alias, see Updating an Alias in the AWS Key Management Service Developer Guide.