AWS SNS Topic is not Encrypted
Description:
Amazon Simple Notification Service (SNS) is a managed publish-subscribe messaging service. When sensitive data is being processed or communicated, it's crucial to ensure that the data is encrypted to maintain its confidentiality. AWS provides server-side encryption for SNS topics, using the Key Management Service (KMS), to encrypt the messages stored in the topic.
Remediation:
1. Encrypt SNS Topic:
AWS Management Console:
- Navigate to the SNS service.
- Select Topics from the left pane.
- Click on the topic you want to encrypt.
- In the Details section, select Edit.
- Under Encryption, check Enable encryption.
- Choose the desired KMS key from the dropdown or create a new one.
AWS CLI:
To modify an SNS topic to use encryption:
aws sns set-topic-attributes --topic-arn <YOUR-TOPIC-ARN> --attribute-name KmsMasterKeyId --attribute-value <YOUR-KMS-KEY-ID>
Replace <YOUR-TOPIC-ARN>
with the ARN of your SNS topic and <YOUR-KMS-KEY-ID>
with your CMK ID.
Terraform:
resource "aws_sns_topic" "example" {
name = "example"
kms_master_key_id = aws_kms_key.example.arn
# ... other configurations ...
}
resource "aws_kms_key" "example" {
description = "KMS key for SNS Topic Encryption"
# other configurations...
}
Recommendation:
For enhanced security, always ensure that your SNS topics, especially those handling sensitive information, are encrypted using a KMS key. Server-side encryption protects your data at rest and assures that the stored messages are encrypted and decrypted transparently, with the keys managed by AWS KMS.
Updated about 1 year ago