Rule claims omitting "kms_master_key_id" disables SQS queue encryption which is outdated

uhe-hf · April 12, 2023, 5:16am

What language is this for? Terraform, but will apply to other languages as well.
Which rule? terraform:S6330
Why do you believe it’s a false-positive/false-negative?
The rule claims that KMS has to be used and that kms has to be configured using the “kms_master_key_id” for encryption to be enabled. However, AWS introduced Server-Side Encryption with Amazon SQS-managed encryption keys (SSE-SQS). By now it’s already enabled by default for new queues.

Note that if the SqsManagedSseEnabled: true property is not specified, SSE-SQS is enabled by default.

Even when explicitly enabling SSE-SQS with sqs_managed_sse_enabled = true it will bring up this alert.

Are you using
- SonarQube - which version? 9.9
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

resource "aws_sqs_queue" "terraform_queue" {
  name                    = "terraform-example-queue"
  sqs_managed_sse_enabled = true
}

Hendrik_Buchwald · April 13, 2023, 9:20am

Hi Udo and welcome to the community!

Thanks for reporting this issue. We are already tracking it internally and will try to resolve it soon.