Logo of Trend Micro

SNS Topic Encrypted With KMS Customer Master Keys

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: SNS-007

Ensure that your AWS Simple Notification Service (SNS) topics are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys (default keys used by the SNS service when there are no customer-managed keys created) in order to have a more granular control over the SNS data-at-rest encryption and decryption process.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When you use your own AWS KMS Customer Master Keys (CMKs) to protect your SNS data from unauthorized users, you have full control over who can use the encryption keys to access your data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon SNS topics.

Audit

To determine the encryption status and configuration for your AWS SNS topics, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, select Topics.

04 Choose the Amazon SNS topic that you want to examine, click on the Action dropdown menu from the dashboard top menu and select Edit topic encryption configuration option.

05 Within Edit topic encryption configuration dialog box, make sure that Server-Side Encryption (SSE) is enabled (otherwise see this conformity rule to enable encryption at rest for the specified SNS topic), then check the encryption key name selected for the KMS Customer Master Key (CMK) dropdown menu. If the key alias (name) is (Default) aws/sns, the selected Amazon SNS topic is encrypted using the default master key (AWS-managed key) instead of a customer-managed CMK.

06 Repeat step no. 4 and 5 to determine the encryption status and configuration for other AWS SNS topics available within the current region.

07 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to list the ARNs of all the SNS topics available in the selected AWS region: 

aws sns list-topics
	--region us-east-1
	--output table
	--query 'Topics[]'

02 The command output should return a table with the requested SNS topic ARNs: 

---------------------------------------------------------
|                      ListTopics                       |
+-------------------------------------------------------+
|                       TopicArn                        |
+-------------------------------------------------------+
| arn:aws:sns:us-east-1:123456789012:cc-main-sub-topic  |
| arn:aws:sns:us-east-1:123456789012:cc-project5-topic  |
| arn:aws:sns:us-east-1:123456789012:cc-test-sns-topic  |
+-------------------------------------------------------+

03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN of the SNS topic that you want to examine as identifier to return the name of the AWS KMS master key used by the selected topic for Server-Side Encryption (SSE): 

aws sns get-topic-attributes
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-main-sub-topic
	--query 'Attributes.KmsMasterKeyId'

04 The command output should return the requested key name (alias) or null in case there is no key used to encrypt the selected SNS topic data, i.e. SSE is not enabled (see this conformity rule to enable encryption at rest for your SNS topic): 

"alias/aws/sns"

If get-topic-attributes command output returns "alias/aws/sns", as shown in the example above, the selected Amazon SNS topic is encrypted using the AWS-managed key (default key) instead of using a customer-managed Customer Master Key (CMK).

05 Repeat step no. 3 and 4 to determine the encryption status and configuration for other AWS SNS topics available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To encrypt Amazon SNS topic data with your own KMS Customer Master Key (CMK), perform the following actions:

Note: Enabling encryption at rest using customer-managed CMKs for existing Amazon SNS topics using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your AWS SNS topic was created).

05 Click Create Key button from the dashboard top menu to initiate the setup process.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for your new KMS CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt the SNS topic data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt and decrypt your SNS data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue the process.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new Customer Master Key (CMK). Once the key is created, the KMS dashboard will display a confirmation message: "Your master key was created successfully. Alias: <the CMK display name>".

12 Now that the CMK has been created, navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

13 In the left navigation panel, choose Topics.

14 Select the AWS SNS topic that you want to reconfigure (see Audit section part I to identify the right SNS resource).

15 Click the Actions button from the dashboard top menu and select Edit topic encryption configuration option.

16 Inside Edit topic encryption configuration dialog box, select the AWS KMS Customer Master Key created earlier from the KMS customer master key (CMK) dropdown list. Once the right key is selected, click Enable Server-Side Encryption button to apply the configuration changes.

17 Repeat step no. 14 – 16 to enable data-at-rest encryption for other Amazon SNS topics available within the selected region, using your own KMS Customer Master Key (CMK).

18 Change the AWS region from the navigation bar to repeat the entire process for the other regions.

References

Publication date Dec 14, 2018

Related SNS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

SNS Topic Encrypted With KMS Customer Master Keys

Risk level: High