Using server-side encryption (SSE) - Amazon Simple Queue Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Using server-side encryption (SSE)

You can use the Amazon SDK for Java to add server-side encryption (SSE) to an Amazon SQS queue. Each queue uses an Amazon Key Management Service (Amazon KMS) KMS key to generate the data encryption keys. This example uses the Amazon managed KMS key for Amazon SQS. For more information about using SSE and the role of the KMS key, see Encryption at rest.

Adding SSE to an existing queue

To enable server-side encryption for an existing queue, use the SetQueueAttributes method to set the KmsMasterKeyId attribute.

The following code example sets the Amazon KMS key as the Amazon managed KMS key for Amazon SQS. The example also sets the Amazon KMS key reuse period to 140 seconds.

Before you run the example code, make sure that you have set your Amazon credentials. For more information, see Set up Amazon Credentials and Region for Development in the Amazon SDK for Java 2.x Developer Guide.

// Create an SqsClient for the specified Region. SqsClient sqsClient = SqsClient.builder().region(Region.US_WEST_1).build(); // Get the URL of your queue. String myQueueName = "my queue"; GetQueueUrlResponse getQueueUrlResponse = sqsClient.getQueueUrl(GetQueueUrlRequest.builder().queueName(myQueueName).build()); String queueUrl = getQueueUrlResponse.queueUrl(); // Create a hashmap for the attributes. Add the key alias and reuse period to the hashmap. HashMap<QueueAttributeName, String> attributes = new HashMap<QueueAttributeName, String>(); final String kmsMasterKeyAlias = "alias/aws/sqs"; // the alias of the Amazon managed KMS key for Amazon SQS. attributes.put(QueueAttributeName.KMS_MASTER_KEY_ID, kmsMasterKeyAlias); attributes.put(QueueAttributeName.KMS_DATA_KEY_REUSE_PERIOD_SECONDS, "140"); // Create the SetQueueAttributesRequest. SetQueueAttributesRequest set_attrs_request = SetQueueAttributesRequest.builder() .queueUrl(queueUrl) .attributes(attributes) .build(); sqsClient.setQueueAttributes(set_attrs_request);

Disabling SSE for a queue

To disable server-side encryption for an existing queue, set the KmsMasterKeyId attribute to an empty string using the SetQueueAttributes method.

Important

null isn't a valid value for KmsMasterKeyId.

Creating a queue with SSE

To enable SSE when you create the queue, add the KmsMasterKeyId attribute to the CreateQueue API method.

The following example creates a new queue with SSE enabled. The queue uses the Amazon managed KMS key for Amazon SQS. The example also sets the Amazon KMS key reuse period to 160 seconds.

Before you run the example code, make sure that you have set your Amazon credentials. For more information, see Set up Amazon Credentials and Region for Development in the Amazon SDK for Java 2.x Developer Guide.

// Create an SqsClient for the specified Region. SqsClient sqsClient = SqsClient.builder().region(Region.US_WEST_1).build(); // Create a hashmap for the attributes. Add the key alias and reuse period to the hashmap. HashMap<QueueAttributeName, String> attributes = new HashMap<QueueAttributeName, String>(); final String kmsMasterKeyAlias = "alias/aws/sqs"; // the alias of the Amazon managed KMS key for Amazon SQS. attributes.put(QueueAttributeName.KMS_MASTER_KEY_ID, kmsMasterKeyAlias); attributes.put(QueueAttributeName.KMS_DATA_KEY_REUSE_PERIOD_SECONDS, "140"); // Add the attributes to the CreateQueueRequest. CreateQueueRequest createQueueRequest = CreateQueueRequest.builder() .queueName(queueName) .attributes(attributes) .build(); sqsClient.createQueue(createQueueRequest);

Retrieving SSE attributes

For information about retrieving queue attributes, see Examples in the Amazon Simple Queue Service API Reference.

To retrieve the KMS key ID or the data key reuse period for a particular queue, run the GetQueueAttributes method and retrieve the KmsMasterKeyId and KmsDataKeyReusePeriodSeconds values.