Ensure that Amazon SNS topics enforce Server-Side Encryption (SSE)

Server-side encryption (SSE) lets you store sensitive data in encrypted topics. SSE protects the contents of messages in Amazon SNS topics using keys managed in AWS Key Management Service (AWS KMS). SSE encrypts messages as soon as Amazon SNS receives them. The messages are stored in encrypted form and Amazon SNS decrypts messages only when they are sent.

Risk Level: High
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.TF.AWS.CRY.47
Covered by Spectral: No
Category: Application Integration


aws_sns_topic should have kms_master_key_id


Perform the following to set server side encryption to your topic:

  1. Sign on to the Amazon SNS console
  2. On the navigation panel, choose Topics.
  3. On the Topics page, choose a topic and choose Actions, Edit.
  4. Expand the Encryption section and do the following:
    a. Choose Enable encryption.
    b. Specify the customer master key (CMK).
  5. Choose Save changes.

From CLI
aws sns set-topic-attributes --topic-arn <Topic ARN> --attribute-name KmsMasterKeyId --attribute-value <CMK name>

References : https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-enable-encryption-for-topic.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html

SNS Topic

An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.

Compliance Frameworks

  • Terraform AWS CIS Foundations