AWS SQS / SNS

Cloud Storage & Messaging

system_type: "aws_sqs"

PQC-encrypt message bodies before publishing to SQS queues or SNS topics.

Overview#

The AWS SQS/SNS connector encrypts message bodies with ML-KEM-768 + AES-256-GCM before publishing, and verifies the ML-DSA-65 signature on receive. AWS credentials are sealed in QuantaVault. Consumer applications receive HybridCryptoEnvelopes they can verify and decrypt using the QuantaSeal SDK.

Base URL: https://api.quantaseal.io/api/v2/proxy/outbound
Auth header: X-API-Key: qs_live_...

Prerequisites#

1An SQS queue or SNS topic ARN
2IAM credentials with sqs:SendMessage / sns:Publish permissions
3A QuantaSeal API key

Configuration#

Follow these steps to connect AWS SQS / SNS to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.

1
Create an IAM user with sqs:SendMessage and sqs:ReceiveMessage on the target queue ARN.
2
Seal credentials: POST /api/v2/vault/seal with credential_type: aws_credentials.
3
Create the integration: POST /api/v2/integrations with system_type: aws_sqs, queue_url or topic_arn.

Authentication Types#

Store IAM access_key_id and secret_access_key as aws_credentials in QuantaVault. Scope the policy to specific queue/topic ARNs.

AWS Credentials

All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.

Available Operations#

QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.

Operation	Description
`send_message`	Send a PQC-encrypted message to an SQS queue.
`receive_message`	Receive and decrypt messages from an SQS queue.
`publish`	Publish a PQC-encrypted message to an SNS topic.
`delete_message`	Delete a processed SQS message.

Code Example#

Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.

bashCopy

curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
  -H "X-API-Key: qs_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "integration_id": "int_01HZ9X2K4MNPQRSQS0000001",
    "operation": "send_message",
    "payload": {
      "message_body": "{"event": "order.created", "order_id": "ord_9821"}",
      "message_group_id": "orders"
    }
  }'

# Response - HybridCryptoEnvelope
{
  "success": true,
  "encrypted": {
    "ciphertext_kem":  "<base64 - 1088 bytes ML-KEM-768>",
    "ciphertext_data": "<base64 - AES-256-GCM encrypted SQS SendMessage result>",
    "nonce":           "<base64 - 12 bytes>",
    "tenant_id":       "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
    "algorithm":       "ML-KEM-768"
  },
  "signature": {
    "pqc_signature":  "<base64 - ~3309 bytes ML-DSA-65>",
    "hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
    "tenant_id":      "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
    "algorithm":      "ML-DSA-65+HMAC-SHA-512"
  },
  "audit_event_id": "aud_01HZ9XABCDEF"
}

Decrypt the response using the QuantaSeal SDK: client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.

Troubleshooting#

InvalidClientTokenId

The access_key_id in the vault entry is incorrect or the IAM user has been deleted. Re-create the vault entry with valid credentials.

Still stuck? Check the Security Events page in the Admin Console for detailed proxy error logs, or open a support ticket at quantaseal.io/support.

All Connectors API Reference