SNS Topic Encrypted
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that Server-Side Encryption (SSE) is enabled for your AWS Simple Notification Service (SNS) topics for additional protection of sensitive data delivered as messages to subscribers. With the SSE feature enabled, when messages are published to encrypted topics, AWS SNS immediately encrypts the messages using a 256-bit AES-GCM algorithm and a Customer Master Key (CMK) issued by Amazon KMS service. AWS SNS Server-Side Encryption can work with both AWS-managed CMKs and customer-managed CMKs.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Amazon SNS Server-Side Encryption (SSE) feature protects the contents of the published messages within your SNS topics, making it ideal for security-sensitive applications with strict encryption compliance and regulatory requirements.
To determine if your Amazon SNS topics are using Server-Side Encryption, perform the following actions:
01 Sign in to AWS Management Console.
02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.
03 In the left navigation panel, select Topics.
04 Choose the Amazon SNS topic that you want to examine, then click on its Amazon Resource Name (ARN), available in the ARN column.
05 On the selected SNS topic details page, above Subscriptions, check the Encryption at rest configuration attribute value (status). If the attribute value is set to Disabled, the encryption at rest (i.e. Server-Side Encryption) is not enabled for the selected Amazon Simple Notification Service (SNS) topic.
06 Repeat step no. 4 and 5 to verify if other AWS SNS topics, available within the current region, are using Server-Side Encryption (SSE).
07 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.
01 Run list-topics command (OSX/Linux/UNIX) to list the ARNs of all the SNS topics available in the selected AWS region:
aws sns list-topics --region us-east-1 --output table --query 'Topics[]'
02 The command output should return a table with the requested SNS topic ARNs:
---------------------------------------------------------- | ListTopics | +--------------------------------------------------------+ | TopicArn | +--------------------------------------------------------+ | arn:aws:sns:us-east-1:123456789012:cc-mobile-app-stack | | arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic | +--------------------------------------------------------+
03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN of the SNS topic that you want to examine as identifier to return the name of the AWS KMS master key used by the selected topic for Server-Side Encryption:
aws sns get-topic-attributes --region us-east-1 --topic-arn arn:aws:sns:us-east-1:123456789012:cc-mobile-app-stack --query 'Attributes.KmsMasterKeyId'
04 The command output should return the name of the KMS key used for SSE or null if the encryption at rest is not currently enabled for the specified SNS topic:
null
05 Repeat step no. 3 and 4 to determine if other AWS SNS topics, available in the current region, are using Server-Side Encryption (SSE).
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.
To enable Server-Side Encryption (SSE) for your Amazon Simple Notification Service (SNS) topics, perform the following actions:
Note: Enabling data-at-rest encryption for existing Amazon SNS topics using the AWS API via Command Line Interface (CLI) is not currently supported.01 Sign in to AWS Management Console.
02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.
03 In the left navigation panel, choose Topics.
04 Select the AWS SNS topic that you want to reconfigure (see Audit section part I to identify the right SNS resource).
05 Click the Actions button from the dashboard top menu and select Edit topic encryption configuration.
06 Within Edit topic encryption configuration dialog box, perform the following actions:
07 Repeat step no. 4 – 6 for each Amazon SNS topic that you want to enable encryption, available in the selected AWS region.
08 Change the AWS region from the navigation bar to repeat the remediation/resolution process for the other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat