Ensure that AWS SNS topic is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's
AWS SNS topic should be encrypted using AWS Managed Customer Master Key (CMK), instead of AWS-owned CMK. This is required in order to meet encryption regulatory requirements of Server-Side encryption for sensitive data that may be stored in the topic. In addition, encrypting SNS topic with AWS-managed CMK allows you to view the CMK and its key policy and also audit the encryption/decryption events by examining the SNS API calls using CloudTrail.
Risk Level: Low
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.TF.AWS.CRY.51
Covered by Spectral: No
Category: Application Integration
GSL LOGIC
aws_sns_topic where kms_master_key_id should not have kms_master_key_id like '%alias/aws/%'
REMEDIATION
Perform the following to set at-rest encryption with your own managed key:
From Portal
- Login to AWS Console
- Navigate to KMS Service
- Select "Customer managed key" and create a new key. Copy the ARN of the new key
- Navigate to SNS Service -> Topics
- Select the relevant topic and click Edit
- Look for "Encryption - Optional". Paste the ARN of the new key you just created.
From CLI
aws sns set-topic-attributes --topic-arn <Topic ARN> --attribute-name KmsMasterKeyId --attribute-value <CMK name>
From TF
resource "aws_sns_topic" "user_updates" {
- kms_master_key_id = "alias/aws/sns"
}
References
Use the following reference for additional information regarding SSE for SNS:
https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html
SNS Topic
An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.
Compliance Frameworks
- Terraform AWS CIS Foundations
Updated over 1 year ago