Ensure that AWS SNS topic is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's

AWS SNS topic should be encrypted using AWS Managed Customer Master Key (CMK), instead of AWS-owned CMK. This is required in order to meet encryption regulatory requirements of Server-Side encryption for sensitive data that may be stored in the topic. In addition, encrypting SNS topic with AWS-managed CMK allows you to view the CMK and its key policy and also audit the encryption/decryption events by examining the SNS API calls using CloudTrail.

Risk Level: Low
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.TF.AWS.CRY.51
Covered by Spectral: No
Category: Application Integration

GSL LOGIC

aws_sns_topic where kms_master_key_id should not have kms_master_key_id like '%alias/aws/%'

REMEDIATION

Perform the following to set at-rest encryption with your own managed key:

From Portal

  1. Login to AWS Console
  2. Navigate to KMS Service
  3. Select "Customer managed key" and create a new key. Copy the ARN of the new key
  4. Navigate to SNS Service -> Topics
  5. Select the relevant topic and click Edit
  6. Look for "Encryption - Optional". Paste the ARN of the new key you just created.

From CLI
aws sns set-topic-attributes --topic-arn <Topic ARN> --attribute-name KmsMasterKeyId --attribute-value <CMK name>

From TF

resource "aws_sns_topic" "user_updates" {
	- kms_master_key_id = "alias/aws/sns"
}

References
Use the following reference for additional information regarding SSE for SNS:
https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html

SNS Topic

An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.

Compliance Frameworks

  • Terraform AWS CIS Foundations