Add support for AWS Server Side Encryption (SSE) when creating queues and topics

[mauroservienti]

Describe the suggested improvement

Is your improvement related to a problem? Please describe.

AWS SQS queues and SNS topics support server-side encryption, enabling in-flight messages to be encrypted as they travel across the AWS infrastructure.

The SQS transport could work with SSE entities; however, support is limited to queues and topics only when auto-subscribe is disabled. Otherwise, the created topic won't use SSE.

In general, the transport lacks support to create SSE entities, both when using NServiceBus installers or the transport CLI.

AWS Resources:

• https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html
• https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html

Describe the suggested solution

Add a configuration flag and the related configuration values to enable the transport to create SSE entities.

Additional Context

No response

[mauroservienti]

I was looking into SSE and noticed that SQS supports two types of encryption:

• SQS managed (for free)
• KMS managed (with the additional KMS cost)

My understanding is that SNS only supports KMS encryption.

If that’s the case, the following assumptions must be (un)validated:

• A managed encryption SQS queue cannot subscribe to a message published to a KMS SNS topic, but it requires KMS there as well
• Considering that the transport transparently manages SNS topics and SQS queues, does the above make managed encryption for SQS a non-starter (it would be helpful only if the system never uses SNS)?