Ensure all data stored in the SNS topic is encrypted

ID

sns_topic_encryption_disabled

Severity

high

Vendor

AWS

Resource

SNS

Tags

reachable

Description

Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers).

Publishers communicate asynchronously with subscribers by sending messages to a topic, which is a logical access point and communication channel.

Clients can subscribe to the SNS topic and receive published messages using a supported endpoint type, such as Amazon Kinesis Data Firehose, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messages (SMS).

When you publish messages to encrypted topics, customer master keys (CMK), can be used to encrypt your messages. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

Examples

CloudFormation

{
  "Resources": {
    "MySNSTopic": { (1)
      "Type": "AWS::SNS::Topic",
      "Properties": {
        "Subscription": [
          {
            "Endpoint": "SNSEndpoint",
            "Protocol": "sqs"
          }
        ],
        "TopicName": "SampleTopic"
      }
    }
  }
}
1 KmsMasterKeyId set means encryption is enabled. 
Resources:
  MySNSTopic: (1)
    Type: AWS::SNS::Topic
    Properties:
      Subscription:
        - Endpoint: "SNSEndpoint"
          Protocol: "sqs"
      TopicName: "SampleTopic"
1 Missing KmsMasterKeyId means encryption is NOT enabled.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "MySNSTopic": { (1)
      "Type": "AWS::SNS::Topic",
      "Properties": {
        "Subscription": [
          {
            "Endpoint": "SNSEndpoint",
            "Protocol": "sqs"
          }
        ],
        "TopicName": "SampleTopic",
        "KmsMasterKeyId": "kms_id" (1)
      }
    }
  }
}
1 Missing KmsMasterKeyId means encryption is NOT enabled. 
Resources:
  MySNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      Subscription:
        - Endpoint: "SNSEndpoint"
          Protocol: "sqs"
      TopicName: "SampleTopic"
      KmsMasterKeyId: "kms_id" (1)
1 KmsMasterKeyId set means encryption is enabled.

Runtime

AWS Console

To change the policy go to the Amazon SNS Console:

  • Select Topics and then select an specific Topic.

  • Click Edit.

  • Under Encryption, select Enable encryption.

  • Select a CMK.

CLI Command

aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name <key-master-id> --attribute-value <key>