Ensure that AWS SNS topic is encrypted using Customer Managed Keys instead of AWS-owned CMKs

AWS SNS topic should be encrypted using Customer Managed Keys instead of AWS-owned CMKs. This is required in order to meet encryption regulatory requirements of Server-Side encryption for sensitive data that may be stored in the topic.

Risk Level: Low
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.AWS.CRY.51
Covered by Spectral: Yes
Category: Application Integration


SnsTopic where cryptoKey.enabled=true should have cryptoKey.isCustomerManaged=true


From Portal
Perform the following steps to setup at-rest encryption using customer managed key:

  1. Sign on to the Amazon SNS console
  2. On the navigation panel, choose Topics.
  3. Click on the topic you want to enable encryption for.
  4. In the top-right corner, click Edit.
  5. Under Encryption, Enable encryption tab.
  6. Under Customer master Key (CMK), enter an existing customer managed key ARN.

From TF

resource "aws_sns_topic" "test" {
	name              = "example_name"
	- kms_master_key_id = "CUSTOMER_MANAGED_KEY"
	+ kms_master_key_id = "CUSTOMER_MANAGED_KEY"

From Command Line

aws sns set-topic-attributes --topic-arn VALUE --attribute-name KMS_MASTER_KEY_ID --attribute-value CUSTOMER_MANAGED_KEY


  1. https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-enable-encryption-for-topic.html
  2. https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html
  5. https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html

SNS Topic

An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset