Risk Level: Low
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.AWS.CRY.51
Covered by Spectral: Yes
Category: Application Integration

GSL LOGIC

SnsTopic where cryptoKey.enabled=true should have cryptoKey.isCustomerManaged=true

REMEDIATION

From Portal
Perform the following steps to setup at-rest encryption using customer managed key:

Sign on to the Amazon SNS console
On the navigation panel, choose Topics.
Click on the topic you want to enable encryption for.
In the top-right corner, click Edit.
Under Encryption, Enable encryption tab.
Under Customer master Key (CMK), enter an existing customer managed key ARN.

From TF

resource "aws_sns_topic" "test" {
    name              = "example_name"
    - kms_master_key_id = "CUSTOMER_MANAGED_KEY"
    + kms_master_key_id = "CUSTOMER_MANAGED_KEY"
}

From Command Line

aws sns set-topic-attributes --topic-arn VALUE --attribute-name KMS_MASTER_KEY_ID --attribute-value CUSTOMER_MANAGED_KEY

References

SNS Topic

An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.

Compliance Frameworks

AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset