Open joel-aws opened 1 year ago
peterwoodworth
commented
1 year ago According to CloudFormation docs, leaving the property out should work fine https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html#cfn-sqs-queue-sqsmanagedsseenabled
instead it assumes SSE-SQS is enabled at the region.
can you elaborate on this? What exactly isn't functioning as you expect?
joel-aws
commented
1 year ago Overall, I just feel like explicit is better than implicit for testing (e.g., using cdk-nag).
jumic
commented
1 year ago According to the documentation, AWS has changed the default behaviour for newly created queues.
To protect the data in a queue’s messages, Amazon SQS has server-side encryption (SSE) enabled by default for all newly created queues.
Existing queues that were created bevor are still unencrypted. If we explicitly set sqsManagedSseEnabled to true this will change encryption setting for those queues. Is this the desired behaviour (semantic versioning)?
joel-aws
commented
1 year ago @jumic For standard regions, it is the default. But that isn't the case for all.
Good call out on behavior for already-created Queues. I welcome any thoughts in the #24998.
Describe the bug
Right now, an SQS Queue has
SQS_MANAGED (SSE-SQS)enabled by default. This, however, is implicit and should be explicit, setting the same properties as ifSQS_MANAGEDwas explicitly set.Expected Behavior
I expect the default Queue to create a CFN Resource with the the following property:
sqsManagedSseEnabled: trueCurrent Behavior
There is no
sqsManagedSseEnabled: trueproperty set, instead it assumes SSE-SQS is enabled at the region.Reproduction Steps
Create a SQS queue and examine its CFN output.
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.70
Framework Version
No response
Node.js Version
16.3.0
OS
Mac
Language
Python
Language Version
No response
Other information
No response