Server-Side Encryption (SSE) of Amazon Simple Queue Service (SQS) message queues is supported by NSX Advanced Load Balancer. Encrypting a queue does not encrypt backlogged messages, nor does turning off encryption remove encryption from backlogged messages. SQS queue encryption is supported only in 3 AWS regions as of the time of this writing: US EAST (N. Virginia), US EAST (Ohio), and US WEST (Oregon).

Prerequisites

For the NSX Advanced Load Balancer Controller to work with encrypted SQS queues and other artifacts of Amazon Simple Notification Service (SNS), either the user whose access/secret key is used or the AviController-Refined-Role must have the following policies attached to it:

  • AviController-SQS-Policy

  • AviController-SNS-Policy

  • AviController-KMS-Policy

The AviController-Refined-Role must be able to decrypt received messages when polling SQS queues. For this, the AviController-KMS-Policy must be updated to include within it a write action, kms:Decrypt. JSON files for this role and policy are shown in the IAM Role Setup for Installation into AWS section.

Customer-managed Customer Master Keys

The primary resources in the AWS key management service are Customer Master Keys (CMK)s. Customer-managed CMKs are CMKs the user creates, manages, and uses. It is in contrast with AWS-managed CMKs, which are created, managed, and used on the user’s behalf by an AWS service that is integrated with AWS KMS.

This includes enabling and disabling the CMK, rotating its cryptographic material, and establishing the IAM policies and key policies that govern access to the CMK, and also using the CMK in cryptographic operations.

SSE of an SQS queue is done using a customer managed CMK, and an SNS topic must be able to make use of that encryption key to encrypt/decrypt a message that it wants to send to the queue. For this, the encryption key’s policy must be modified to allow SNS service to work with it.

Adding Permissions to Customer-managed CMKs

Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console. Follow the steps mentioned below:

  1. In the left navigation pane, choose Encryption keys.

  2. For Region, choose the appropriate AWS Region.

  3. Choose the alias of the CMK whose key policy document you want to edit.

  4. On the Key Policy line, choose Switch to policy view.

  5. Add following statement in the key policy.

    {
         "Sid": "Allow SNS to use CMK",
         "Effect": "Allow",
         "Principal": {
           "Service": "sns.amazonaws.com"
         },
         "Action": [
           "kms:GenerateDataKey*",
           "kms:Decrypt"
         ],
         "Resource": "*"
        }

Enabling SQS queue encryption through the NSX Advanced Load Balancer UI is available only for the following AWS regions:

  • US East (N. Virginia)

  • US East (Ohio)

  • US West (Oregon)

Follow the steps mentioned in placeholder to configure SNS-SQS encryption on NSX Advanced Load Balancer.