Logo of Trend Micro

Enable Server-Side Encryption for AWS SNS Topics

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: SNS-006

Ensure that Server-Side Encryption (SSE) is enabled for your AWS Simple Notification Service (SNS) topics for additional protection of sensitive data delivered as messages to subscribers. With the SSE feature enabled, when messages are published to encrypted topics, AWS SNS immediately encrypts the messages using a 256-bit AES-GCM algorithm and a Customer Master Key (CMK) issued by Amazon KMS service. AWS SNS Server-Side Encryption can work with both AWS-managed CMKs and customer-managed CMKs.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Amazon SNS Server-Side Encryption (SSE) feature protects the contents of the published messages within your SNS topics, making it ideal for security-sensitive applications with strict encryption compliance and regulatory requirements.

Audit

To determine if your Amazon SNS topics are using Server-Side Encryption, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, select Topics.

04 Choose the Amazon SNS topic that you want to examine, then click on its Amazon Resource Name (ARN), available in the ARN column.

05 On the selected SNS topic details page, above Subscriptions, check the Encryption at rest configuration attribute value (status). If the attribute value is set to Disabled, the encryption at rest (i.e. Server-Side Encryption) is not enabled for the selected Amazon Simple Notification Service (SNS) topic.

06 Repeat step no. 4 and 5 to verify if other AWS SNS topics, available within the current region, are using Server-Side Encryption (SSE).

07 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to list the ARNs of all the SNS topics available in the selected AWS region: 

aws sns list-topics
	--region us-east-1
	--output table
	--query 'Topics[]'

02 The command output should return a table with the requested SNS topic ARNs: 

----------------------------------------------------------
|                      ListTopics                        |
+--------------------------------------------------------+
|                       TopicArn                         |
+--------------------------------------------------------+
| arn:aws:sns:us-east-1:123456789012:cc-mobile-app-stack |
| arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic   |
+--------------------------------------------------------+

03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN of the SNS topic that you want to examine as identifier to return the name of the AWS KMS master key used by the selected topic for Server-Side Encryption: 

aws sns get-topic-attributes
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-mobile-app-stack
	--query 'Attributes.KmsMasterKeyId'

04 The command output should return the name of the KMS key used for SSE or null if the encryption at rest is not currently enabled for the specified SNS topic: 

null

If get-topic-attributes command output returns null, as shown in the example above, the encryption at rest (i.e. Server-Side Encryption) is not enabled for the selected Amazon SNS topic.

05 Repeat step no. 3 and 4 to determine if other AWS SNS topics, available in the current region, are using Server-Side Encryption (SSE).

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Server-Side Encryption (SSE) for your Amazon Simple Notification Service (SNS) topics, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, choose Topics.

04 Select the AWS SNS topic that you want to reconfigure (see Audit section part I to identify the right SNS resource).

05 Click the Actions button from the dashboard top menu and select Edit topic encryption configuration.

06 Within Edit topic encryption configuration dialog box, perform the following actions:

  1. Check Enable server-side encryption checkbox to enable encryption at rest for the selected Amazon SNS topic.
  2. Select the Customer Master Key (CMK) that will protect your SNS data from the KMS customer master key (CMK) dropdown list.
  3. Click Enable Server-Side Encryption button to apply the configuration changes to the selected SNS topic.

07 Repeat step no. 4 – 6 for each Amazon SNS topic that you want to enable encryption, available in the selected AWS region.

08 Change the AWS region from the navigation bar to repeat the remediation/resolution process for the other regions.

Using AWS CLI

01 Run set-topic-attributes command (OSX/Linux/UNIX) using the ID of the unencrypted Amazon SNS topic as identifier parameter (see Audit section part II to identify the right SNS resource), to enable Server-Side Encryption (SSE) for the selected topic using the default master key (i.e. AWS Managed Key). Replace <aws-region> and <aws-account-id> placeholders with your own environment details (the command does not produce an output): 

aws sns set-topic-attributes
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-mobile-app-stack
	--attribute-name KmsMasterKeyId
	--attribute-value arn:aws:kms::<aws-region>:<aws-account-id>:alias/aws/sns

02 Repeat step no. 1 to enable encryption for other unencrypted Amazon SNS topics, available in the selected region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the remediation/resolution process for other regions.

References

Publication date Dec 14, 2018

Related SNS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Server-Side Encryption for AWS SNS Topics

Risk level: High