Server-Side Encryption (SSE) of Amazon Simple Queue Service (SQS) message queues is supported by Avi Load Balancer. Encrypting a queue does not encrypt backlogged messages, nor does turning off encryption remove encryption from backlogged messages. SQS queue encryption is supported only in three AWS regions: US EAST (N. Virginia), US EAST (Ohio), and US WEST (Oregon).

For more information, see Server-Side Encryption for Amazon Simple Queue Service (SQS).

Prerequisites

For the Avi Load Balancer Controller to work with encrypted SQS queues and other artifacts of Amazon Simple Notification Service (SNS), either the user whose access/secret key is used or the AviController-Refined-Role must have the following policies attached to it:

  • AviController-SQS-Policy

  • AviController-SNS-Policy

  • AviController-KMS-Policy

The AviController-Refined-Role must be able to decrypt received messages when polling SQS queues. For this, the AviController-KMS-Policy must be updated to include within it a write action, kms:Decrypt. JSON files for this role and policy are shown in the IAM Role Setup for Installation into AWS section.

Customer-managed Customer Master Keys

The primary resources in the AWS key management service are Customer Master Keys (CMK)s. Customer-managed CMKs are CMKs the user creates, manages, and uses. It is in contrast with AWS-managed CMKs, which are created, managed, and used on the user’s behalf by an AWS service that is integrated with AWS KMS.

This includes enabling and disabling the CMK, rotating its cryptographic material, establishing the IAM policies and key policies that govern access to the CMK, and also using the CMK in cryptographic operations.

SSE of an SQS queue is done using a customer-managed CMK, and an SNS topic must be able to make use of that encryption key to encrypt/decrypt a message that it wants to send to the queue. For this, the encryption key’s policy must be modified to allow the SNS service to work with it.

Adding Permissions to Customer-managed CMKs

Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console. Follow the steps mentioned below:

  1. In the left navigation pane, choose Encryption keys.

  2. For Region, choose the appropriate AWS Region.

  3. Choose the Alias of the CMK whose key policy document you want to edit.

  4. On the Key Policy line, choose Switch to policy view.

  5. Add the following statement to the key policy.

    {
     "Sid": "Allow SNS to use CMK",
     "Effect": "Allow",
     "Principal": {
       "Service": "sns.amazonaws.com"
     },
     "Action": [
       "kms:GenerateDataKey*",
       "kms:Decrypt"
     ],
     "Resource": "*"
    }

To configure SNS-SQS encryption, see Configuring SQS Encryption using UI and Configuring SQS Encryption using CLI.