Link Search Menu Expand Document
×
Topics

Missing Server Side Encryption in AWS

Play SecureFlag Play AWS Labs on this vulnerability with SecureFlag!

S3

All Amazon S3 objects are encrypted at rest using AES-256 encryption. Amazon S3 uses keys to encrypt and decrypt your data.

However, there are other options. Amazon also allows you to use the AWS Key Management Service (KMS) to manage your encryption keys. This gives you more control over your encryption keys and how they are used. Finally, you can also use your own encryption keys to encrypt your data, known as Customer-Provided Keys (SSE-C).

SQS and SNS

While AWS may enable server-side encryption by default for S3, it is not enabled by default for SQS and SNS. This means that if you use SQS or SNS, you should enable server-side encryption.

This can be done using the KMSMasterKeyId parameter when creating the queue or topic. This parameter can be set to alias/aws/sqs or alias/aws/sns to use the default KMS key for SQS or SNS, respectively.

Like with S3, you can choose Amazon’s KMS service to manage your keys or use your keys.

Example 

{
  "QueueName": "my-queue",
  "KmsMasterKeyId": "alias/aws/sqs"
}