Amazon_SNS_8
AWS SNS topic should be encrypted using AWS Managed Customer Master Key (CMK), instead of AWS-owned CMK. This is required in order to meet encryption regulatory requirements of Server-Side encryption for sensitive data that may be stored in the topic. In addition, encrypting SNS topic with AWS-managed CMK allows you to view the CMK and its key policy and also audit the encryption/decryption events by examining the SNS API calls using CloudTrail.
Perform the following to set at-rest encryption with your own managed key:
Via AWS Console
1. Login to AWS Console
2. Navigate to KMS Service
4. Select Customer managed key” and create a new key. Copy the ARN of the new key
5. Navigate to SNS Service -> Topics
6. Select the relevant topic and click Edit
7. Look for “Encryption – Optional”. Paste the ARN of the new key you just created.
Via CLI:
aws sns set-topic-attributes –topic-arn <Topic ARN> –attribute-name KmsMasterKeyId –attribute-value <CMK name>
Use the following reference for additional information regarding SSE for SNS:
https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html
Want to Know More?
Learn how our partners are managing their cloud security and compliance with Cloudlytics.
I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.
