1. Help Center
  2. AWS Knowledge Base
  3. Amazon Simple Notification Service (SNS)

SNS Topic CMK Encryption

This plugin uses KMS Customer Master Keys to encrypt Amazon SNS topics (CMKs).

Risk Level: LOW

Description:

This plugin uses KMS Customer Master Keys to encrypt Amazon SNS topics (CMKs). In order to have more granular control over the SNS data-at-rest encryption and decryption process, KMS Customer Master Keys (CMKs) should be used instead of AWS-managed keys.


Recommended Actions: Update SNS topics to use Customer Master Keys (CMKs) for Server-Side Encryption.

About the Service :

Amazon SNS (Amazon Simple Notification Service) is a managed service that delivers messages from publishers to subscribers (also known as producers and consumers). Publishers communicate with subscribers asynchronously by sending messages to a topic, which serves as a logical access point and communication route for subscribers. Clients can subscribe to the SNS topic and receive published messages through any supported endpoint, including Amazon Kinesis Data Firehose, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messaging (SMS).

Impact: 

If default KMS Keys are used for encryption instead of Customer Master Keys we won’t have much control over the SNS data-at-rest encryption and decryption process.

Steps to reproduce :

  1. Sign in to the AWS Management Console.
  2. Navigate to the SNS dashboard at: https://console.aws.amazon.com/sns/v2/
  3. In the left navigation panel, select Topics.
  4. Select the SNS topic you want to examine and click on Edit.
  5. Under Encryption check, if the server-side encryption option is enabled or disabled.
  6. If not, then click on Enable encryption and check the value of the Customer Master Key selected from the dropdown menu.
  7. If the selected key name is “(Default) alias/aws/sns” then the selected Amazon SNS topic is encrypted using the default master key (AWS-managed key) instead of a customer-managed CMK.
  8. Repeat steps no. 4-7 for other topics in the selected region as well as for other AWS regions.

Steps for remediation :

  1. Sign in to the AWS Management Console.
  2. Navigate to the SNS dashboard at: https://console.aws.amazon.com/sns/v2/
  3. In the left navigation panel, select Topics.
  4. Select the SNS topic you want to examine and click on Edit.
  5. Under Encryption check, if the server-side encryption option is enabled or disabled.
  6. If not, then click on Enable encryption and check the value of the Customer Master Key selected from the dropdown menu.
  7. If the selected key name is “(Default) alias/aws/sns” , then replace it with your Customer Master Key from the dropdown menu.
  8. Repeat step no. 4 – 7 to enable data-at-rest encryption for other Amazon SNS topics available within the selected region, using your own KMS Customer Master Key (CMK)

References: