Which solution will meet this requirement?
Enable server-side encryption for the SQS queue by using an SQS managed encryption key (SSE-SQS).
Use the aws:SecureTransport condition in the queue policy to ensure that only HTTPS (TLS) is used for all requests to the SQS queue.
Use AWS Certificate Manager (ACM) to generate an SSL/TLS certificate. Reference the certificate when messages are sent to the queue.
Set a message attribute in the SQS SendMessage request for messages that are sent to the queue. Set the Name to ENCRYPT. Set the Value to TRUE.
Explanations:
Enabling server-side encryption (SSE-SQS) for the SQS queue uses an AWS-managed encryption key to encrypt all messages at rest automatically. This ensures that sensitive information within the messages is protected, meeting the requirement for data encryption at rest.
The awscondition enforces the use of HTTPS for requests to the SQS queue, ensuring secure transmission of messages in transit. However, it does not address the requirement for encrypting data at rest.
AWS Certificate Manager (ACM) provides SSL/TLS certificates for secure communication but does not encrypt messages stored in SQS. This approach would secure data in transit rather than at rest.
Setting a message attribute to indicate that a message should be encrypted does not implement actual encryption for messages at rest. This option lacks any mechanism to enforce encryption and would not protect sensitive information.
I outline that the answer is:
Enable server-side encryption for the SQS queue by using an SQS managed encryption key (SSE-SQS).