Reputation: 11
AWS SQS DLQ messages encryption
Send and retrieve messages option allows to retrieve messages from sqs dlq. SSE is enabled but message body is displayed in plain text. Is there is a way to prevent user with permissions to redrive messages from being able to see message content (that might contain PII) in plain text?
Upvotes: 0
Views: 106
Answers (1)
Reputation: 11
Picked solution - using clinet side encryption. Messages are sent to DLQ manually in case of errors and message content is manually encrypted using KMS.
I think double encryption will be in place (since both regular queue and DLQ have encryption enabled already).
Additional attribute is added to the message sent to DLQ to indicate that it is encrypted. This way when read from DLQ using console SQS UI message body is shown encrypted. When reprocessed - based on the attribute presense message is decrypted prior to processing (same workload is used for regular queue and DLQ).
Upvotes: 0
Related Questions
- What is the difference between Amazon SNS and Amazon SQS?
- Limiting redrive from AWS DLQ
- How can I automatically move messages off DLQ in Amazon SQS?
- AWS redrive to source queue from dql queue., using an API in code?
- AWS SQS - How to conditionally decide whether a message should be moved to the DLQ?
- Selective read messages from AWS SQS
- Why my failed event is not sent to AWS Dead Letter Queue DLQ?
- Why does SQS fail to process these messages?
- Lambda adding ErrorMessage to SQS message