cloudformation-coverage-roadmap
cloudformation-coverage-roadmap copied to clipboard
aws-cloudformation
AWS::SQS::Queue - Support Amazon SQS-managed encryption keys (SSE-SQS)
Name of the resource
AWS::SQS::Queue
Resource name
No response
Description
Currently, AWS::SQS::Queue only supports AWS-managed customer master key (CMK) for Amazon SQS or custom CMK by attribute KmsMasterKeyId.
Amazon SQS has announced a new Server-Side Encryption method, Amazon SQS-managed encryption keys (SSE-SQS). AWS::SQS::Queue needs to be able to specify SSE-SQS with KmsMasterKeyId attribute or a new attribute to support this method.
Other Details
AWS::SQS::Queue - AWS Cloudformation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid
Amazon SQS Announces Server-Side Encryption with Amazon SQS-managed encryption keys (SSE-SQS) https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-sqs-server-side-encryption-keys-sse/
WA:
Create a CustomResource
Example using aws cdk and lambda.
https://github.com/parraletz/sse-sqs-wa
Any ETA to add support for this feature? This is a very important feature which will save a lot of time for systems using SQS.
Asking again, any updates on when this might get added? Its seriously causing a headache at the company I work at
We tested
Configuring server-side encryption (SSE) for a queue using SQS-owned encryption keys
using serverless property SqsManagedSseEnabled: true and it worked fine.
"serverless": "^3.12.0"
Sorry for any confusion created.
What works fine @asura-asp?
This issue is about the AWS::SQS::Queue CloudFormation resource (documented at https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html) not supporting an attribute to set SSE-SQS mode.
Reading through the docs, I think the expected mechanism to enable SSE-SQS via CloudFormation is actually to set the KmsMasterKeyId via to alias/aws/sqs.
Reading through the docs, I think the expected mechanism to enable SSE-SQS via CloudFormation is actually to set the KmsMasterKeyId via to
alias/aws/sqs.
That uses the AWS Managed KMS key for SQS. If you look at the Documentation for the SQS API, you can see there's another field to use SSE-SQS.
Any update? It's supported in Terraform but not in Cloudformation... I thought that AWS was committed to support CF first...
It seems AWS fix this issue, I tested today setting attribute SqsManagedSseEnabled to true, as @asura-asp mentioned, and that’s really works.
@jean-passos - I think you're right. I ran a test today by creating an example CloudFormation template:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
QueueEncryptionTest:
Type: AWS::SQS::Queue
Properties:
SqsManagedSseEnabled: true
aws cloudformation deploy --template-file=queue.yaml --stack-name=queue
And it created the queue with SQS encryption set:
However, the docs still say that it's unsupported, which doesn't inspire confidence. 🤷🏻
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html#cfn-sqs-queue-sqsmanagedsseenabled
yes, confirmed it is working but the documentation is outdated, please update it!
There is a "Provide feedback" link at the bottom of each documentation page. I have reported the outdated documentation. I hope this triggers the AWS team to update the documentation.
