Ensure that AWS SNS topic is encrypted using AWS managed CMKs (Customer Master Key) instead of AWS-owned CMK's


AWS SNS topic should be encrypted using AWS Managed Customer Master Key (CMK), instead of AWS-owned CMK. This is required in order to meet encryption regulatory requirements of Server-Side encryption for sensitive data that may be stored in the topic. In addition, encrypting SNS topic with AWS-managed CMK allows you to view the CMK and its key policy and also audit the encryption/decryption events by examining the SNS API calls using CloudTrail.


Perform the following to set at-rest encryption with your own managed key:

Via AWS Console
1. Login to AWS Console
2. Navigate to KMS Service
4. Select Customer managed key” and create a new key. Copy the ARN of the new key
5. Navigate to SNS Service -> Topics
6. Select the relevant topic and click Edit
7. Look for “Encryption – Optional”. Paste the ARN of the new key you just created.

Via CLI:
aws sns set-topic-attributes –topic-arn <Topic ARN> –attribute-name KmsMasterKeyId –attribute-value <CMK name>

Use the following reference for additional information regarding SSE for SNS:







We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!