Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE)
Server-side encryption (SSE) lets you store sensitive data in encrypted topics. SSE protects the contents of messages in Amazon SNS topics using keys managed in AWS Key Management Service (AWS KMS). SSE encrypts messages as soon as Amazon SNS receives them. The messages are stored in encrypted form and Amazon SNS decrypts messages only when they are sent.
Risk Level: High
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.AWS.CRY.47
Covered by Spectral: No
Category: Application Integration
GSL LOGIC
SnsTopic should have cryptoKey.enabled=true
REMEDIATION
From Portal
Perform the following to set server side encryption to your topic:
- Sign on to the Amazon SNS console
- On the navigation panel, choose Topics.
- Click on the topic you want to enable encryption for.
- In the top-right corner, click Edit.
- Under Encryption, select Enable encryption.
- Select a customer master key - you can use the default AWS key or a custom key in KMS.
From TF
resource "aws_sns_topic" "example" {
...
name = "example_name"
+ kms_master_key_id = "KMS_KEY"
}
From Command Line
aws sns set-topic-attributes --topic-arn VALUE --attribute-name KmsMasterKeyId --attribute-value KMS_KEY
References
- https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-enable-encryption-for-topic.html
- https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html
SNS Topic
An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS PCI-DSS 4.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago