1. Help Center
  2. AWS Knowledge Base
  3. Amazon Simple Notification Service (SNS)

SNS Topic Not Encrypted

This plugin enforces Server-Side Encryption on Amazon SNS topics (SSE).

Risk Level: MEDIUM

Description:

This plugin enforces Server-Side Encryption on Amazon SNS topics (SSE). To secure data at rest, SNS topics should use Server-Side Encryption (SSE). The contents of messages in Amazon SNS topics are protected by SSE utilizing keys controlled by the AWS Key Management Service (AWS KMS).


Recommended Action: Enable Server-Side Encryption to protect the content of SNS topic messages.

About the Service :

Amazon SNS (Amazon Simple Notification Service) is a managed service that delivers messages from publishers to subscribers (also known as producers and consumers). Publishers communicate with subscribers asynchronously by sending messages to a topic, which serves as a logical access point and communication route for subscribers. Clients can subscribe to the SNS topic and receive published messages through any supported endpoint, including Amazon Kinesis Data Firehose, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messaging (SMS).

Impact: 

If the SSE feature is disabled when messages are published to encrypted topics, AWS SNS won't encrypt the messages using a 256-bit AES-GCM algorithm and a Customer Master Key (CMK) issued by Amazon KMS service and hence the contents of the published messages within your SNS topics will be publicly visible making it a big security issue.

Steps to reproduce :

  1. Sign in to the AWS Management Console.
  2. Navigate to the SNS dashboard at: https://console.aws.amazon.com/sns/v2/
  3. In the left navigation panel, select Topics.
  4. Select the SNS topic you want to examine and click on Edit.
  5. Under Encryption check, if the server-side encryption option is enabled or disabled.
  6. Repeat steps no. 4 and 5 for other topics in the selected region as well as for other AWS regions.

Steps for remediation :

  1. Sign in to the AWS Management Console.
  2. Navigate to the SNS dashboard at: https://console.aws.amazon.com/sns/v2/
  3. In the left navigation panel, select Topics.
  4. Select the SNS topic you want to examine and click on Edit.
  5. Under Encryption check, if the server-side encryption option is enabled or disabled
  6. Click on Enable encryption option to enable SSE for the selected topic.
  7. Repeat steps no. 4-6 for other topics in the selected region as well as for other AWS regions.

References: