AWS SNS Topic is not Encrypted with the Customer Master Key (CMK)


Amazon Simple Notification Service (SNS) topics support server-side encryption (SSE) using keys stored in AWS Key Management Service (KMS). While AWS provides default encryption for SNS topics using AWS managed keys, it is often a best practice, especially for regulatory and compliance reasons, to encrypt using a Customer Master Key (CMK).


1. Encrypt SNS Topic using CMK:

AWS Management Console:
  • Navigate to the SNS service.
  • Select Topics from the left pane.
  • Click on the topic you want to encrypt.
  • In the Details section, select Edit.
  • Under Encryption, check Enable encryption.
  • Choose the desired CMK from the dropdown. Ensure it's not an AWS managed key but a customer managed key.

To modify an SNS topic to use a CMK for encryption:

aws sns set-topic-attributes --topic-arn <YOUR-TOPIC-ARN> --attribute-name KmsMasterKeyId --attribute-value <YOUR-CMK-ID>

Replace <YOUR-TOPIC-ARN> with the ARN of your SNS topic and <YOUR-CMK-ID> with your CMK ID.

resource "aws_sns_topic" "example" {
  name              = "example"
  kms_master_key_id = aws_kms_key.example.arn
  # ... other configurations ...

resource "aws_kms_key" "example" {
  description             = "KMS CMK for SNS Topic Encryption"
  enable_key_rotation     = true
  deletion_window_in_days = 7
  # other configurations...


For higher control and security assurance, always encrypt your SNS topics using Customer Master Keys (CMKs) rather than the default AWS managed keys. CMKs provide the ability to define granular permissions, set key rotation policies, and directly manage the lifecycle of the key.