Description

Identifies AWS SQS queues created through Terraform that do not have server-side encryption (SSE) enabled. When SSE is disabled, messages in the queue are not encrypted at rest, potentially exposing sensitive data to unauthorized access.

Detection Strategy

• Scans Terraform configuration files for 'aws_sqs_queue' resource declarations

• Checks if server-side encryption is explicitly disabled or not configured in the queue properties

• Reports a vulnerability when an SQS queue is configured without encryption enabled

• Specifically looks for missing or disabled 'kms_master_key_id' and 'sqs_managed_sse_enabled' attributes in the queue configuration

Vulnerable code example

resource "aws_sqs_queue" "example" {
  name = "unencrypted-queue"
  sqs_managed_sse_enabled = false  # Vulnerable: Explicitly disables server-side encryption
}

✅ Secure code example

resource "aws_sqs_queue" "example" {
  name = "encrypted-queue"
  sqs_managed_sse_enabled = true  # Enable SQS-managed server-side encryption
}