Posted On: Feb 11, 2020

Amazon SQS is now available through VPC endpoints and also provides server-side encryption (SSE) of queues in Amazon Web Services China (Beijing) Region, operated by Sinnet, and Amazon Web Services China (Ningxia) Region, operated by NWCD, allowing you to access Amazon SQS within your Amazon Virtual Private Cloud (Amazon VPC) without traversing the internet.  

VPC endpoints for Amazon SQS are powered by Amazon PrivateLink, a highly available, scalable technology that provides secure, private connectivity between VPCs and Amazon Web Services services. Amazon VPC endpoints are easy to configure and provide reliable connectivity to Amazon SQS without requiring an internet gateway, Network Address Translation (NAT) instance, or Amazon Direct Connect connection. With VPC endpoints, the data between your Amazon VPC and Amazon SQS is transferred within the Amazon network, and thus protected from the public internet. You can create an interface VPC endpoint for Amazon SQS in your VPC using the Amazon VPC console, SDK or CLI. You can also access the VPC endpoint from on-premises environments or from other VPCs using Amazon Direct Connect, or VPC Peering. 

Amazon SQS server-side encryption uses the 256-bit Advanced Encryption Standard (AES-256 GCM algorithm) to encrypt each message body. The addition of server-side encryption allows you to transmit sensitive data with the increased security of using encrypted queues. The integration with Amazon Key Management Service (KMS) allows you to centrally manage the keys that protect SQS messages along with keys that protect your other Amazon Web Services resources. 

There are no additional Amazon SQS costs to use these features. For VPC Endpoints, Interface VPC endpoint charges apply. For server side encryption, you are charged for each Amazon KMS request. For more information on Amazon KMS pricing, see Amazon Key Management Service Pricing

To learn more: