Ensure that your AWS Simple Notification Service (SNS) topics are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys (default keys used by the SNS service when there are no customer-managed keys created) in order to have a more granular control over the SNS data-at-rest encryption and decryption process.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you use your own AWS KMS Customer Master Keys (CMKs) to protect your SNS data from unauthorized users, you have full control over who can use the encryption keys to access your data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon SNS topics.
Audit
To determine the encryption status and configuration for your AWS SNS topics, perform the following actions:
Remediation / Resolution
To encrypt Amazon SNS topic data with your own KMS Customer Master Key (CMK), perform the following actions:
Note: Enabling encryption at rest using customer-managed CMKs for existing Amazon SNS topics using the AWS API via Command Line Interface (CLI) is not currently supported.References
- AWS Documentation
- Amazon SNS FAQs
- Amazon SNS Security
- Protecting Amazon SNS Data Using Server-Side Encryption (SSE) and AWS KMS
- Tutorial: Enabling Server-Side Encryption (SSE) for an Amazon SNS Topic
- AWS Command Line Interface (CLI) Documentation
- sns
- list-topics
- get-topic-attributes
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
SNS Topic Encrypted With KMS Customer Master Keys
Risk level: High