Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

SNS Topic Encrypted

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: SNS-006

Ensure that Server-Side Encryption (SSE) is enabled for your Amazon Simple Notification Service (SNS) topics for additional protection of sensitive data delivered as messages to subscribers. Amazon SNS service uses a KMS Customer Master Key (CMK) to generate data keys required for the encryption/decryption process of the topic messages. There is no additional charge for using Server-Side Encryption, however, there is a charge for using Amazon KMS.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon SNS Server-Side Encryption (SSE) protects the contents of the published messages within your SNS topics, making it ideal for security-sensitive applications with strict encryption compliance and regulatory requirements. With SSE, Amazon SNS encrypts your message as soon as it is received. The message is decrypted immediately prior to delivery. The encryption and decryption is handled transparently and does not require any additional action from you or your application.

Audit

To determine if Server-Side Encryption (SSE) is enabled for your Amazon SNS topics, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/v3.

03 In the main navigation panel, under Amazon SNS, choose Topics.

04 Click on the name (link) of the SNS topic that you want to examine.

05 Select the Encryption tab from the console bottom panel and check the Encryption configuration attribute status. If the Encryption attribute status is set to Disabled, the Server-Side Encryption (SSE) feature is not enabled for the selected Amazon Simple Notification Service (SNS) topic.

06 Repeat steps no. 4 and 5 for each Amazon SNS topic available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to list the Amazon Resource Name (ARN) of each Amazon SNS topic available in the selected AWS cloud region: 

aws sns list-topics
  --region us-east-1
  --output table
  --query 'Topics[]'

02 The command output should return a table with the requested SNS topic ARNs: 

-----------------------------------------------------------
|                       ListTopics                        |
+---------------------------------------------------------+
|                        TopicArn                         |
+---------------------------------------------------------+
|  arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic  |
|  arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic   |
+---------------------------------------------------------+

03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon SNS topic that you want to examine as the identifier parameter to describe the ARN of the KMS master key used by the selected SNS topic for Server-Side Encryption (SSE): 

aws sns get-topic-attributes
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic
  --query 'Attributes.KmsMasterKeyId'

04 The command output should return the ARN of the KMS master key used for SSE: 

null

If the get-topic-attributes command output returns null, as shown in the output example above, the Server-Side Encryption (SSE) feature is not enabled for the selected Amazon Simple Notification Service (SNS) topic.

05 Repeat steps no. 3 and 4 for each Amazon SNS topic available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

Server-Side Encryption (SSE) adds at-rest encryption to your Amazon SNS topics. To enable Server-Side Encryption for your SNS topics, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Server-Side Encryption (SSE) for SNS Topics",
	"Parameters": {
		"SNSTopicName": {
			"Type": "String",
			"Description": "Topic Name",
			"Default": "cc-sns-topic"
		}
	},
	"Resources": {
		"AWSSNSTopic": {
			"Type": "AWS::SNS::Topic",
			"Properties": {
				"TopicName": {
					"Ref": "SNSTopicName"
				},
				"Subscription": [
					{
						"Endpoint": "user@domain.com",
						"Protocol": "email"
					}
				],
				"KmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Server-Side Encryption (SSE) for SNS Topics
	Parameters:
		SNSTopicName:
		Type: String
		Description: Topic Name
		Default: cc-sns-topic
	Resources:
		AWSSNSTopic:
		Type: AWS::SNS::Topic
		Properties:
			TopicName: !Ref 'SNSTopicName'
			Subscription:
			- Endpoint: user@domain.com
				Protocol: email
			KmsMasterKeyId: arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_sns_topic" "cc-sns-topic" {

	name = "cc-trail-sns-topic"

	# Enable Server-Side Encryption (SSE) for SNS Topics
	kms_master_key_id = "alias/aws/sns"

}

resource "aws_sns_topic_subscription" "cc-sns-topic-target" {

	topic_arn = aws_sns_topic.cc-sns-topic.arn
	protocol  = "email"
	endpoint  = "user@domain.com"

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/v3.

03 In the main navigation panel, under Amazon SNS, choose Topics.

04 Click on the name (link) of the SNS topic that you want to reconfigure.

05 Choose Edit from the console top menu to access the topic configuration settings.

06 Select the Encryption – optional tab and perform the following actions:

  1. Choose Enable encryption to enable Server-Side Encryption (SSE) for the selected Amazon SNS topic.
  2. Select the Customer Master Key (CMK) that you want to use for Server-Side Encryption from the Customer master key (CMK) dropdown list.
  3. Choose Save changes to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each Amazon SNS topic that you want to reconfigure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run set-topic-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon SNS topic that you want to encrypt as the identifier parameter, to enable Server-Side Encryption (SSE) for the selected topic using a KMS Customer Master Key (CMK). As an example, the master key used for the following command request is the default key (i.e. alias/aws/sns) that protects Amazon SNS data when no other key is defined (the command does not produce an output): 

aws sns set-topic-attributes
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic
  --attribute-name KmsMasterKeyId
  --attribute-value
arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd

02 Repeat step no. 1 for each Amazon SNS topic that you want to reconfigure, available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Dec 14, 2018

Related SNS rules