Ensure that your AWS Simple Notification Service (SNS) topics are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys (default keys used by the SNS service when there are no customer-managed keys created) in order to have a more granular control over the SNS data-at-rest encryption and decryption process.
When you use your own AWS KMS Customer Master Keys (CMKs) to protect your SNS data from unauthorized users, you have full control over who can use the encryption keys to access your data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon SNS topics.
To determine the encryption status and configuration for your AWS SNS topics, perform the following actions:
To encrypt Amazon SNS topic data with your own KMS Customer Master Key (CMK), perform the following actions:Note: Enabling encryption at rest using customer-managed CMKs for existing Amazon SNS topics using the AWS API via Command Line Interface (CLI) is not currently supported.