Short version: Encrypt queues with KMS, split producer/consumer IAM, set a DLQ, and alarm on queue age/depth. Keep retention/visibility explicit.
1) Create queue with sane defaults
- Server-side encryption (your KMS key), retention 4–14 days as needed.
- Visibility timeout ≥ max processing time.
- DLQ with a reasonable maxReceiveCount (e.g., 5).
2) IAM separation
# Producer: send only
"Action": ["sqs:SendMessage"], "Resource": "arn:aws:sqs:...:queue"
# Consumer: receive, delete, change visibility
"Action": ["sqs:ReceiveMessage","sqs:DeleteMessage","sqs:ChangeMessageVisibility"]Use VPC endpoints and condition keys (aws:SourceVpce) to restrict access paths.
3) Monitoring (start here)
- ApproxAgeOfOldestMessage > threshold → alarm.
- ApproximateNumberOfMessagesVisible trending up → capacity issue.
- DLQ depth > 0 → ticket.
4) Hygiene
- No secrets/PII in messages if you can avoid it; if unavoidable, encrypt client-side too.
- Set log retention on CloudWatch; don’t leave “never expire”.