Ensure that your AWS Simple Notification Service (SNS) topics are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys (default keys used by the SNS service when there are no customer-managed keys created) in order to have a more granular control over the SNS data-at-rest encryption and decryption process.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you use your own AWS KMS Customer Master Keys (CMKs) to protect your SNS data from unauthorized users, you have full control over who can use the encryption keys to access your data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon SNS topics.
To determine the encryption status and configuration for your AWS SNS topics, perform the following actions:
To encrypt Amazon SNS topic data with your own KMS Customer Master Key (CMK), perform the following actions:Note: Enabling encryption at rest using customer-managed CMKs for existing Amazon SNS topics using the AWS API via Command Line Interface (CLI) is not currently supported.