Configuring server-side encryption (SSE) for a queue (console) - Amazon Simple Queue Service

Configuring server-side encryption (SSE) for a queue (console)

To protect the data in a queue's messages, you can enable server-side encryption (SSE) for a queue. Amazon SQS integrates with the Amazon Web Services Key Management Service (Amazon Web Services KMS) to manage KMS keys for server-side encryption (SSE). For information about using SSE, see Encryption at rest.

The KMS key that you assign to your queue must have a key policy that includes permissions for all principals that are authorized to use the queue. For information, see Key Management.

If you aren't the owner of the KMS key, or if you log in with an account that doesn't have kms:ListAliases and kms:DescribeKey permissions, you won't be able to view information about the KMS key on the Amazon SQS console. Ask the owner of the KMS key to grant you these permissions. For more information, see Key Management.

When you create or edit a queue, you can configure SSE-KMS.

To configure SSE-KMS for an existing queue (console)

  1. Open the Amazon SQS console at https://console.aws.amazon.com/sqs/.

  2. In the navigation pane, choose Queues.

  3. Choose a queue, and then choose Edit.

  4. Expand Encryption.

  5. For Server-side encryption, choose Enabled.

  6. Select AWS Key Management Service key (SSE-KMS).

    The console displays the Description, the Account, and the KMS key ARN of the KMS key.

  7. Specify the KMS key ID for the queue. For more information, see Key terms.

    1. Choose the Choose a KMS key alias option.

    2. The default key is the Amazon Web Services managed KMS key for Amazon SQS. To use this key, choose it from the KMS key list.

    3. To use a custom KMS key from your Amazon Web Services account, choose it from the KMS key list. For instructions on creating custom KMS keys, see Creating Keys in the Amazon Web Services Key Management Service Developer Guide.

    4. To use a custom KMS key that is not in the list, or a custom KMS key from another Amazon Web Services account, choose Enter the KMS key alias and enter the KMS key Amazon Resource Name (ARN).

  8. (Optional) For Data key reuse period, specify a value between 1 minute and 24 hours. The default is 5 minutes. For more information, see Understanding the data key reuse period.

  9. When you finish configuring SSE-KMS, choose Save.