Json Yaml Server Side Encryption Disabled Sqs

Description

Detects AWS SQS queues configured without server-side encryption in CloudFormation templates. When server-side encryption is disabled on SQS queues, messages are stored in plaintext, potentially exposing sensitive data to unauthorized access. This violates security best practices requiring encryption at rest for message queues.

Weakness:

165 - Insecure service configuration - AWS

Category: Functionality Abuse

Detection Strategy

• Search for CloudFormation resources of type 'AWS::SQS::Queue' in the template

• Check if the SQS queue resource is missing the SqsManagedSseEnabled property or if it's explicitly set to false

• Check if the KmsMasterKeyId property is not specified, indicating no custom KMS key encryption

• Flag the queue resource as vulnerable if server-side encryption is not enabled through either SSE-SQS or SSE-KMS

Vulnerable code example

Resources:
  VulnSQSQueue:
    Type: 'AWS::SQS::Queue'
    Properties:
      QueueName: 'UnsecureQueue'
      # Vulnerable: Explicitly disabling SQS encryption at rest
      SqsManagedSseEnabled: False

✅ Secure code example

Resources:
  SecureSQSQueue:
    Type: 'AWS::SQS::Queue'
    Properties:
      QueueName: 'SecureQueue'
      # Enable SQS-managed server-side encryption for data protection at rest
      SqsManagedSseEnabled: true

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.