Ensure that your Amazon Simple Notification Service (SNS) topics are using KMS Customer Master Keys (CMKs) instead of AWS-managed keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over your SNS data encryption/decryption process.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you create and use your own customer-provided Customer Master Keys (CMKs) to protect Amazon SNS data, you gain full control over who can use the keys and access your data. The Amazon KMS service allows you to create, rotate, disable, enable, and audit CMK encryption keys for SNS topics.
Audit
To determine if Server-Side Encryption (SSE) with Customer Master Keys (CMKs) is enabled for your Amazon SNS topics, perform the following actions:
Remediation / Resolution
To use your own KMS Customer Master Key (CMK) for Amazon SNS Server-Side Encryption (SSE), perform the following actions:
References
- AWS Documentation
- Amazon SNS FAQs
- Getting started with Amazon SNS
- Amazon SNS Security
- Encryption at rest
- What is Amazon SNS?
- AWS Command Line Interface (CLI) Documentation
- sns
- list-topics
- get-topic-attributes
- set-topic-attributes
- kms
- describe-key
- create-key
- create-alias
- CloudFormation Documentation
- Amazon Simple Notification Service resource type reference
- Terraform Documentation
- AWS Provider
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
SNS Topic Encrypted With KMS Customer Master Keys
Risk Level: Medium