Learn how to implement server-side encryption for Amazon SQS queues using the SQS managed encryption key (SSE-SQS) to encrypt all queue messages and metadata at rest, ensuring data security.
Table of Contents
Question
A company uses Amazon Simple Queue Service (Amazon SQS) to decouple its microservices architecture. Some messages in an SQS queue contain sensitive information. A developer must implement a solution that encrypts all the data at rest.
Which solution will meet this requirement?
A. Enable server-side encryption for the SQS queue by using an SQS managed encryption key (SSE-SQS).
B. Use the aws:SecureTransport condition in the queue policy to ensure that only HTTPS (TLS) is used for all requests to the SQS queue.
C. Use AWS Certificate Manager (ACM) to generate an SSL/TLS certificate. Reference the certificate when messages are sent to the queue.
D. Set a message attribute in the SQS SendMessage request for messages that are sent to the queue. Set the Name to ENCRYPT. Set the Value to TRUE.
Answer
A. Enable server-side encryption for the SQS queue by using an SQS managed encryption key (SSE-SQS).
Explanation
To encrypt all data at rest in an Amazon SQS queue, the recommended solution is to enable server-side encryption for the queue using an SQS managed encryption key (SSE-SQS).
Here’s how this solution works:
- When creating a new SQS queue or modifying an existing one, enable the “Server-side encryption (SSE)” option under the “Encryption” section.
- Choose the “AWS managed key (aws/sqs)” option, which is the SQS managed encryption key (SSE-SQS).
- AWS SQS will automatically encrypt the queue messages and metadata using the SQS managed encryption key before storing the data at rest.
- When messages are retrieved from the queue, AWS SQS will automatically decrypt the data using the same encryption key.
By enabling SSE-SQS, you ensure that all messages in the queue, including those containing sensitive information, are encrypted at rest using an AWS-managed encryption key. This encryption is transparent to your application and does not require any code changes.
The other options provided in the question are not suitable for encrypting data at rest in an SQS queue:
B. The aws:SecureTransport condition in the queue policy ensures only HTTPS (TLS) is used for requests, but it does not encrypt the data at rest.
C. Using an SSL/TLS certificate from AWS Certificate Manager (ACM) is for encrypting data in transit, not at rest.
D. Setting a message attribute in the SendMessage request does not automatically encrypt the message data at rest.
Amazon AWS Certified Developer – Associate DVA-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Developer – Associate DVA-C02 exam and earn Amazon AWS Certified Developer – Associate DVA-C02 certification.