Open menu

Enable Server-Side Encryption for AWS SNS Topics

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that Server-Side Encryption (SSE) is enabled for your AWS Simple Notification Service (SNS) topics for additional protection of sensitive data delivered as messages to subscribers. With the SSE feature enabled, when messages are published to encrypted topics, AWS SNS immediately encrypts the messages using a 256-bit AES-GCM algorithm and a Customer Master Key (CMK) issued by Amazon KMS service. AWS SNS Server-Side Encryption can work with both AWS-managed CMKs and customer-managed CMKs.

Amazon SNS Server-Side Encryption (SSE) feature protects the contents of the published messages within your SNS topics, making it ideal for security-sensitive applications with strict encryption compliance and regulatory requirements.

Audit

To determine if your Amazon SNS topics are using Server-Side Encryption, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, select Topics.

04 Choose the Amazon SNS topic that you want to examine, then click on its Amazon Resource Name (ARN), available in the ARN column.

05 On the selected SNS topic details page, above Subscriptions, check the Encryption at rest configuration attribute value (status). If the attribute value is set to Disabled, the encryption at rest (i.e. Server-Side Encryption) is not enabled for the selected Amazon Simple Notification Service (SNS) topic.

06 Repeat step no. 4 and 5 to verify if other AWS SNS topics, available within the current region, are using Server-Side Encryption (SSE).

07 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to list the ARNs of all the SNS topics available in the selected AWS region:

aws sns list-topics
	--region us-east-1
	--output table
	--query 'Topics[]'

02 The command output should return a table with the requested SNS topic ARNs:

----------------------------------------------------------
|                      ListTopics                        |
+--------------------------------------------------------+
|                       TopicArn                         |
+--------------------------------------------------------+
| arn:aws:sns:us-east-1:123456789012:cc-mobile-app-stack |
| arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic   |
+--------------------------------------------------------+

03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN of the SNS topic that you want to examine as identifier to return the name of the AWS KMS master key used by the selected topic for Server-Side Encryption:

aws sns get-topic-attributes
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-mobile-app-stack
	--query 'Attributes.KmsMasterKeyId'

04 The command output should return the name of the KMS key used for SSE or null if the encryption at rest is not currently enabled for the specified SNS topic:

null
 

If get-topic-attributes command output returns null, as shown in the example above, the encryption at rest (i.e. Server-Side Encryption) is not enabled for the selected Amazon SNS topic.

05 Repeat step no. 3 and 4 to determine if other AWS SNS topics, available in the current region, are using Server-Side Encryption (SSE).

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Server-Side Encryption (SSE) for your Amazon Simple Notification Service (SNS) topics, perform the following actions:

Note: Enabling data-at-rest encryption for existing Amazon SNS topics using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, choose Topics.

04 Select the AWS SNS topic that you want to reconfigure (see Audit section part I to identify the right SNS resource).

05 Click the Actions button from the dashboard top menu and select Edit topic encryption configuration.

06 Within Edit topic encryption configuration dialog box, perform the following actions:

  1. Check Enable server-side encryption checkbox to enable encryption at rest for the selected Amazon SNS topic.
  2. Select the Customer Master Key (CMK) that will protect your SNS data from the KMS customer master key (CMK) dropdown list.
  3. Click Enable Server-Side Encryption button to apply the configuration changes to the selected SNS topic.

07 Repeat step no. 4 – 6 for each Amazon SNS topic that you want to enable encryption, available in the selected AWS region.

08 Change the AWS region from the navigation bar to repeat the remediation/resolution process for the other regions.

References

Publication date Dec 14, 2018