AWS Developer Tools Blog

Encrypting Message Payloads Using the Amazon SQS Extended Client and the Amazon S3 Encryption Client

The Amazon SQS Extended Client is an open-source Java library that lets you manage Amazon SQS message payloads with Amazon S3. This is especially useful for storing and retrieving messages with a message payload size larger than the SQS limit of 256 KB. Some customers have asked us about encryption. This blog post explains how you can use this library to take advantage of S3 client-side encryption features for your SQS messages.

Here is how the SQS Extended Client Library works: You configure and provide an SQS client, an S3 client, and an S3 bucket to the library. Then you will be able to send, receive, and delete messages exactly as you would with the standard SQS client. The library automatically stores each message payload in an S3 bucket and uses the native SQS payload to transmit a pointer to the S3 object. After the message has been received and deleted by a consumer, the payload is automatically deleted from the S3 bucket. For a code example, see Managing Amazon SQS Messages with Amazon S3 in the Amazon SQS Developer Guide.

To enable client-side encryption, simply configure an S3 encryption client (instead of a standard S3 client) and pass it to the SQS Extended Client Library. You also have the option to use AWS Key Management Service (AWS KMS) for managing your encryption keys. For examples of code that can configure the Amazon S3 encryption client in different ways, see Protecting Data Using Client-Side Encryption in the Amazon S3 Developer Guide.

By default, the SQS Extended Client Library uses S3 only for message payloads larger than the SQS limit of 256 KB. In the following example, the AlwaysThroughS3 flag is enabled so that the SQS Extended Client Library sends all messages through Amazon S3, regardless of the message payload size:

ExtendedClientConfiguration extendedClientConfiguration = new ExtendedClientConfiguration()
		.withLargePayloadSupportEnabled(s3EncryptionClient, s3BucketName)
		.withAlwaysThroughS3(true);

AmazonSQS sqsExtendedClient = new AmazonSQSExtendedClient(new AmazonSQSClient(credentials),  
            extendedClientConfiguration);

That’s all! Now, all message payloads sent and received using the SQS Extended Client Library will be encrypted and stored in S3. Please let us know if you have any questions, comments, or suggestions.