Amazon Simple Notification Service (Amazon SNS) now provides server-side encryption (SSE) of topics for additional protection of sensitive data from unauthorized users. This feature is integrated with AWS Key Management Service (AWS KMS), which allows you to centrally manage keys that protect Amazon SNS topics along with keys that protect your other AWS resources. Amazon SNS encrypted topics are available now in all AWS Regions where AWS KMS is available.
Sign in to the Amazon SNS console.
On the navigation panel, choose Topics.
On the Topics page, select a topic and choose Actions, Edit.
Expand the Encryption section and do the following:
Choose Enable encryption.
Specify the customer master key (CMK).
For each CMK type, the Description, Account, and CMK ARN are displayed.
If you aren’t the owner of the CMK, or if you log in with an account that doesn’t have the
kms:DescribeKey permissions, you won’t be able to view information about the CMK on the Amazon SNS console.
The AWS managed CMK for Amazon SNS (Default) alias/aws/sns is selected by default.
Keep the following in mind:
The first time you use the AWS Management Console to specify the AWS managed CMK for Amazon SNS for a topic, AWS KMS creates the AWS managed CMK for Amazon SNS.
Alternatively, the first time you use the
Publish action on a topic with SSE enabled, AWS KMS creates the AWS managed CMK for Amazon SNS.
To use a custom CMK from your AWS account, choose the Customer master key (CMK) field and then select the custom CMK from the list.
To use a custom CMK ARN from your AWS account or from another AWS account, enter it into the Customer master key (CMK) field.
Choose Save changes.
SSE is enabled for your topic and the
MyTopic page is displayed.
The topic’s Encryption status, AWS Account, Customer master key (CMK), CMK ARN, andDescription are displayed on the Encryption tab.