Guides

AWS SNS Topic is not Encrypted

Description:

Amazon Simple Notification Service (SNS) is a managed publish-subscribe messaging service. When sensitive data is being processed or communicated, it's crucial to ensure that the data is encrypted to maintain its confidentiality. AWS provides server-side encryption for SNS topics, using the Key Management Service (KMS), to encrypt the messages stored in the topic.

Remediation:

1. Encrypt SNS Topic:

AWS Management Console:
  • Navigate to the SNS service.
  • Select Topics from the left pane.
  • Click on the topic you want to encrypt.
  • In the Details section, select Edit.
  • Under Encryption, check Enable encryption.
  • Choose the desired KMS key from the dropdown or create a new one.
AWS CLI:

To modify an SNS topic to use encryption:

aws sns set-topic-attributes --topic-arn <YOUR-TOPIC-ARN> --attribute-name KmsMasterKeyId --attribute-value <YOUR-KMS-KEY-ID>

Replace <YOUR-TOPIC-ARN> with the ARN of your SNS topic and <YOUR-KMS-KEY-ID> with your CMK ID.

Terraform:
resource "aws_sns_topic" "example" {
  name              = "example"
  kms_master_key_id = aws_kms_key.example.arn
  # ... other configurations ...
}

resource "aws_kms_key" "example" {
  description = "KMS key for SNS Topic Encryption"
  # other configurations...
}

Recommendation:

For enhanced security, always ensure that your SNS topics, especially those handling sensitive information, are encrypted using a KMS key. Server-side encryption protects your data at rest and assures that the stored messages are encrypted and decrypted transparently, with the keys managed by AWS KMS.

Updated 12 months ago