Open joel-aws opened 1 year ago
According to CloudFormation docs, leaving the property out should work fine https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html#cfn-sqs-queue-sqsmanagedsseenabled
instead it assumes SSE-SQS is enabled at the region.
can you elaborate on this? What exactly isn't functioning as you expect?
Overall, I just feel like explicit is better than implicit for testing (e.g., using cdk-nag).
According to the documentation, AWS has changed the default behaviour for newly created queues.
To protect the data in a queue’s messages, Amazon SQS has server-side encryption (SSE) enabled by default for all newly created queues.
Existing queues that were created bevor are still unencrypted. If we explicitly set sqsManagedSseEnabled
to true
this will change encryption setting for those queues. Is this the desired behaviour (semantic versioning)?
@jumic For standard regions, it is the default. But that isn't the case for all.
Good call out on behavior for already-created Queues. I welcome any thoughts in the #24998.
Describe the bug
Right now, an SQS Queue has
SQS_MANAGED (SSE-SQS)
enabled by default. This, however, is implicit and should be explicit, setting the same properties as ifSQS_MANAGED
was explicitly set.Expected Behavior
I expect the default Queue to create a CFN Resource with the the following property:
sqsManagedSseEnabled: true
Current Behavior
There is no
sqsManagedSseEnabled: true
property set, instead it assumes SSE-SQS is enabled at the region.Reproduction Steps
Create a SQS queue and examine its CFN output.
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.70
Framework Version
No response
Node.js Version
16.3.0
OS
Mac
Language
Python
Language Version
No response
Other information
No response