Risk Level: High
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.TF.AWS.CRY.47
Covered by Spectral: No
Category: Application Integration

GSL LOGIC

aws_sns_topic should have kms_master_key_id

REMEDIATION

Perform the following to set server side encryption to your topic:

Sign on to the Amazon SNS console
On the navigation panel, choose Topics.
On the Topics page, choose a topic and choose Actions, Edit.
Expand the Encryption section and do the following:
a. Choose Enable encryption.
b. Specify the customer master key (CMK).
Choose Save changes.

From CLI
aws sns set-topic-attributes --topic-arn <Topic ARN> --attribute-name KmsMasterKeyId --attribute-value <CMK name>

References: https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-enable-encryption-for-topic.html
https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html

SNS Topic

An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.

Compliance Frameworks

Terraform AWS CIS Foundations