Audit queues for their encryption configuration. Choose SSE-SQS for a zero-config baseline, or SSE-KMS where you need a customer-managed key and audit trail. Align producer and consumer IAM with the KMS key first, then enable encryption with set-queue-attributes. Roll the fix across the account and add a guardrail via Config and SCPs.

Compliance Medium severity

AWS Security Hub · SQS

SQS.1: SQS messages are not encrypted at rest

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub SQS.1 check?

SQS.1 checks that an SQS queue is encrypted at rest. It reports FAILED when a queue has neither SSE-SQS nor SSE-KMS server-side encryption enabled, so message bodies sit in plaintext.

Why does SQS.1 matter?

Queue messages frequently carry the payloads moving between services — order details, tokens, internal events — and an unencrypted queue keeps them in plaintext at rest, outside any key control plane. SSE-KMS additionally gives you an auditable key policy and CloudTrail on decrypts.

How do I fix SQS.1?

Audit queues for their encryption configuration.
Choose SSE-SQS for a zero-config baseline, or SSE-KMS where you need a customer-managed key and audit trail.
Align producer and consumer IAM with the KMS key first, then enable encryption with set-queue-attributes.
Roll the fix across the account and add a guardrail via Config and SCPs.

Remediation script · bash

# 1. Bulk-enable free SSE-SQS on every unencrypted queue in the region.
for q in $(aws sqs list-queues --query 'QueueUrls[]' --output text); do
  state=$(aws sqs get-queue-attributes --queue-url $q \
    --attribute-names KmsMasterKeyId SqsManagedSseEnabled --query 'Attributes' --output text)
  [ -z "$state" ] && aws sqs set-queue-attributes --queue-url $q \
    --attributes '{"SqsManagedSseEnabled":"true"}' && echo "encrypted $q"
done

# 2. High-throughput stream: SSE-KMS with a 5-minute data-key reuse window to keep KMS cost flat.
aws kinesis start-stream-encryption --stream-name payment-events \
  --encryption-type KMS \
  --key-id arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

# 3. Find unencrypted recovery points (Backup.1 reads IsEncrypted per recovery point, not per vault).
aws backup list-recovery-points-by-backup-vault --backup-vault-name prod-backups \
  --query 'RecoveryPoints[?IsEncrypted==`false`].[RecoveryPointArn,ResourceType]' --output table

# 4. Confirm an at-rest Config rule is evaluating so regressions are caught automatically.
aws configservice describe-compliance-by-config-rule --config-rule-names sqs-queue-encrypted \
  --query 'ComplianceByConfigRules[].Compliance.ComplianceType'

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt other services at rest (queues, streams, logs, ML).

Is SQS.1 a false positive?

With SSE-KMS, producers and consumers need kms:GenerateDataKey and kms:Decrypt on the key — flip encryption on without granting those and messages will start failing, so align IAM first.

Full lesson Encrypt other services at rest (queues, streams, logs, ML) Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for SQS controls ↗ Check your own account for SQS.1 →

Part of the learning path Encrypt everything

SQS.3 An SQS queue policy allows public access