diff --git a/examples/karpenter/main.tf b/examples/karpenter/main.tf
index 9961063c95..f2521b0e52 100644
--- a/examples/karpenter/main.tf
+++ b/examples/karpenter/main.tf
@@ -119,7 +119,9 @@ module "karpenter" {
     AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
   }
 
-  tags = local.tags
+  # Used to enforce TLS messaging on SQS queue
+  queue_enforce_tls_messages = true
+  tags                       = local.tags
 }
 
 module "karpenter_disabled" {
diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
index fe1956eb80..d2868aa6d6 100644
--- a/modules/karpenter/README.md
+++ b/modules/karpenter/README.md
@@ -171,6 +171,7 @@ No modules.
 | <a name="input_node_iam_role_permissions_boundary"></a> [node\_iam\_role\_permissions\_boundary](#input\_node\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
 | <a name="input_node_iam_role_tags"></a> [node\_iam\_role\_tags](#input\_node\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
 | <a name="input_node_iam_role_use_name_prefix"></a> [node\_iam\_role\_use\_name\_prefix](#input\_node\_iam\_role\_use\_name\_prefix) | Determines whether the Node IAM role name (`node_iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| <a name="input_queue_enforce_tls_messages"></a> [queue\_enforce\_tls\_messages](#input\_queue\_enforce\_tls\_messages) | Enforces TLS messaging on the SQS queue | `bool` | `false` | no |
 | <a name="input_queue_kms_data_key_reuse_period_seconds"></a> [queue\_kms\_data\_key\_reuse\_period\_seconds](#input\_queue\_kms\_data\_key\_reuse\_period\_seconds) | The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again | `number` | `null` | no |
 | <a name="input_queue_kms_master_key_id"></a> [queue\_kms\_master\_key\_id](#input\_queue\_kms\_master\_key\_id) | The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK | `string` | `null` | no |
 | <a name="input_queue_managed_sse_enabled"></a> [queue\_managed\_sse\_enabled](#input\_queue\_managed\_sse\_enabled) | Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys | `bool` | `true` | no |
diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
index d03dfa49f8..39bc7ecdf8 100644
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -188,6 +188,31 @@ data "aws_iam_policy_document" "queue" {
       ]
     }
   }
+  dynamic "statement" {
+    for_each = var.queue_enforce_tls_messages ? [1] : []
+    content {
+      sid    = "DenyNonTLS"
+      effect = "Deny"
+      actions = [
+        "sqs:SendMessage",
+        "sqs:ReceiveMessage"
+      ]
+      resources = [aws_sqs_queue.this[0].arn]
+      condition {
+        test     = "Bool"
+        variable = "aws:SecureTransport"
+        values = [
+          "false"
+        ]
+      }
+      principals {
+        type = "*"
+        identifiers = [
+          "*"
+        ]
+      }
+    }
+  }
 }
 
 resource "aws_sqs_queue_policy" "this" {
diff --git a/modules/karpenter/variables.tf b/modules/karpenter/variables.tf
index 71b2cbdf38..daeeec9893 100644
--- a/modules/karpenter/variables.tf
+++ b/modules/karpenter/variables.tf
@@ -207,6 +207,12 @@ variable "queue_kms_data_key_reuse_period_seconds" {
   default     = null
 }
 
+variable "queue_enforce_tls_messages" {
+  description = "Enforces TLS messaging on the SQS queue"
+  type        = bool
+  default     = false
+}
+
 ################################################################################
 # Node IAM Role
 ################################################################################