SNS Topic Encrypted

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/v3.

03 In the main navigation panel, under Amazon SNS, choose Topics.

04 Click on the name (link) of the SNS topic that you want to examine.

05 Select the Encryption tab from the console bottom panel and check the Encryption configuration attribute status. If the Encryption attribute status is set to Disabled, the Server-Side Encryption (SSE) feature is not enabled for the selected Amazon Simple Notification Service (SNS) topic.

06 Repeat steps no. 4 and 5 for each Amazon SNS topic available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

01 Run list-topics command (OSX/Linux/UNIX) to list the Amazon Resource Name (ARN) of each Amazon SNS topic available in the selected AWS cloud region:

aws sns list-topics
  --region us-east-1
  --output table
  --query 'Topics[]'

02 The command output should return a table with the requested SNS topic ARNs:

-----------------------------------------------------------
|                       ListTopics                        |
+---------------------------------------------------------+
|                        TopicArn                         |
+---------------------------------------------------------+
|  arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic  |
|  arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic   |
+---------------------------------------------------------+

03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon SNS topic that you want to examine as the identifier parameter to describe the ARN of the KMS master key used by the selected SNS topic for Server-Side Encryption (SSE):

aws sns get-topic-attributes
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic
  --query 'Attributes.KmsMasterKeyId'

04 The command output should return the ARN of the KMS master key used for SSE:

null
 

05 Repeat steps no. 3 and 4 for each Amazon SNS topic available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Server-Side Encryption (SSE) for SNS Topics",
	"Parameters": {
		"SNSTopicName": {
			"Type": "String",
			"Description": "Topic Name",
			"Default": "cc-sns-topic"
		}
	},
	"Resources": {
		"AWSSNSTopic": {
			"Type": "AWS::SNS::Topic",
			"Properties": {
				"TopicName": {
					"Ref": "SNSTopicName"
				},
				"Subscription": [
					{
						"Endpoint": "user@domain.com",
						"Protocol": "email"
					}
				],
				"KmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Server-Side Encryption (SSE) for SNS Topics
	Parameters:
		SNSTopicName:
		Type: String
		Description: Topic Name
		Default: cc-sns-topic
	Resources:
		AWSSNSTopic:
		Type: AWS::SNS::Topic
		Properties:
			TopicName: !Ref 'SNSTopicName'
			Subscription:
			- Endpoint: user@domain.com
				Protocol: email
			KmsMasterKeyId: arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_sns_topic" "cc-sns-topic" {

	name = "cc-trail-sns-topic"

	# Enable Server-Side Encryption (SSE) for SNS Topics
	kms_master_key_id = "alias/aws/sns"

}

resource "aws_sns_topic_subscription" "cc-sns-topic-target" {

	topic_arn = aws_sns_topic.cc-sns-topic.arn
	protocol  = "email"
	endpoint  = "user@domain.com"

}

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/v3.

03 In the main navigation panel, under Amazon SNS, choose Topics.

04 Click on the name (link) of the SNS topic that you want to reconfigure.

05 Choose Edit from the console top menu to access the topic configuration settings.

06 Select the Encryption – optional tab and perform the following actions:

1. Choose Enable encryption to enable Server-Side Encryption (SSE) for the selected Amazon SNS topic.
2. Select the Customer Master Key (CMK) that you want to use for Server-Side Encryption from the Customer master key (CMK) dropdown list.
3. Choose Save changes to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each Amazon SNS topic that you want to reconfigure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

01 Run set-topic-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon SNS topic that you want to encrypt as the identifier parameter, to enable Server-Side Encryption (SSE) for the selected topic using a KMS Customer Master Key (CMK). As an example, the master key used for the following command request is the default key (i.e. alias/aws/sns) that protects Amazon SNS data when no other key is defined (the command does not produce an output):

aws sns set-topic-attributes
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic
  --attribute-name KmsMasterKeyId
  --attribute-value
arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd

02 Repeat step no. 1 for each Amazon SNS topic that you want to reconfigure, available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.