Using server-side encryption (SSE)
You can use the Amazon SDK for Java to add server-side encryption (SSE) to an Amazon SQS queue. Each queue uses an Amazon Key Management Service (Amazon KMS) KMS key to generate the data encryption keys. This example uses the Amazon managed KMS key for Amazon SQS. For more information about using SSE and the role of the KMS key, see Encryption at rest.
Adding SSE to an existing queue
To enable server-side encryption for an existing queue, use the SetQueueAttributes method to set the KmsMasterKeyId
attribute.
The following code example sets the Amazon KMS key as the Amazon managed KMS key for Amazon SQS. The example also sets the Amazon KMS key reuse period to 140 seconds.
Before you run the example code, make sure that you have set your Amazon credentials. For more information, see Set up Amazon Credentials and Region for Development in the Amazon SDK for Java 2.x Developer Guide.
// Create an SqsClient for the specified Region. SqsClient sqsClient = SqsClient.builder().region(Region.US_WEST_1).build(); // Get the URL of your queue. String myQueueName = "my queue"; GetQueueUrlResponse getQueueUrlResponse = sqsClient.getQueueUrl(GetQueueUrlRequest.builder().queueName(myQueueName).build()); String queueUrl = getQueueUrlResponse.queueUrl(); // Create a hashmap for the attributes. Add the key alias and reuse period to the hashmap. HashMap<QueueAttributeName, String> attributes = new HashMap<QueueAttributeName, String>(); final String kmsMasterKeyAlias = "alias/aws/sqs"; // the alias of the Amazon managed KMS key for Amazon SQS. attributes.put(QueueAttributeName.KMS_MASTER_KEY_ID, kmsMasterKeyAlias); attributes.put(QueueAttributeName.KMS_DATA_KEY_REUSE_PERIOD_SECONDS, "140"); // Create the SetQueueAttributesRequest. SetQueueAttributesRequest set_attrs_request = SetQueueAttributesRequest.builder() .queueUrl(queueUrl) .attributes(attributes) .build(); sqsClient.setQueueAttributes(set_attrs_request);
Disabling SSE for a queue
To disable server-side encryption for an existing queue, set the
KmsMasterKeyId attribute to an empty string using the
SetQueueAttributes method.
Important
null isn't a valid value for KmsMasterKeyId.
Creating a queue with SSE
To enable SSE when you create the queue, add the KmsMasterKeyId
attribute to the CreateQueue API method.
The following example creates a new queue with SSE enabled. The queue uses the Amazon managed KMS key for Amazon SQS. The example also sets the Amazon KMS key reuse period to 160 seconds.
Before you run the example code, make sure that you have set your Amazon credentials. For more information, see Set up Amazon Credentials and Region for Development in the Amazon SDK for Java 2.x Developer Guide.
// Create an SqsClient for the specified Region. SqsClient sqsClient = SqsClient.builder().region(Region.US_WEST_1).build(); // Create a hashmap for the attributes. Add the key alias and reuse period to the hashmap. HashMap<QueueAttributeName, String> attributes = new HashMap<QueueAttributeName, String>(); final String kmsMasterKeyAlias = "alias/aws/sqs"; // the alias of the Amazon managed KMS key for Amazon SQS. attributes.put(QueueAttributeName.KMS_MASTER_KEY_ID, kmsMasterKeyAlias); attributes.put(QueueAttributeName.KMS_DATA_KEY_REUSE_PERIOD_SECONDS, "140"); // Add the attributes to the CreateQueueRequest. CreateQueueRequest createQueueRequest = CreateQueueRequest.builder() .queueName(queueName) .attributes(attributes) .build(); sqsClient.createQueue(createQueueRequest);
Retrieving SSE attributes
For information about retrieving queue attributes, see Examples in the Amazon Simple Queue Service API Reference.
To retrieve the KMS key ID or the data key reuse period for a particular queue, run
the GetQueueAttributes method and retrieve the
KmsMasterKeyId and KmsDataKeyReusePeriodSeconds
values.