Description:
Simple Notification Service (SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.
AWS Key Management Service (KMS) will help you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. It is a managed service used to store and generate encryption keys that are used by other AWS services and applications. KMS also contains the keys to decrypt your private data. It works with AWS CloudTrail to audit and track how your encryption keys are being used and by whom
Encryption is the process of encoding information. SNS Encryption means encrypting your important information in plaintext into an alternative form as ciphertext. This encryption method helps secure your information.
AWS Simple Notification Service (SNS) encrypts with KMS instead of AWS-managed keys.
Rationale:
Checks if SNS topic is encrypted with AWS Key Management Service ( AWS KMS). The rule is NON_COMPLIANT if the Amazon SNS topic is not encrypted with AWS KMS. The rule is also NON_COMPLIANT when the encrypted KMS key is not present in the kmsKeyIds input parameter.
KMS service allows you to easily create, rotate, disable, and audit Customer Master created for your Amazon SNS topics.
Impact:
KMS enables the protection of the SNS data from unauthorized users. It gives you full control over who can use the encryption keys to access your data. To encrypt messages for full end-to-end encryption.
Default Value:
If you do not define any KMS master key then by default it has a master key after creating the SNS topic this key is auto-generated by the AWS in your account.
This default key is defined in the AWS managed keys of the Key Management Service (KMS) dashboard.
Pre-Requisite:
Before following the implementation steps you make sure KMS contain a customer master key (CMK)
Should have ab SNS topic
Remediation:
Test Plan:
Step 1: Sign in to the AWS Management console and got the SNS dashboard at https://console.aws.amazon.com/sns/v2/.
Step 2: Click on Topics in the left navigation pane
Step 3: Choose a Topic to audit encryption is enable or not.
Step 4: Go to the Encryption tab in the selected topics
Step 5: To check Encryption is Enabled or Disable for the selected topics
In this SNS topic encryption is disabled, which is vulnerable. When the information is shared with you is not encrypted because your topic has not contained andy keys.
Using AWS CLI:
To List your SNS topics
aws sns list-topics
To retrieve the attributes of a topic
aws sns get-topic-attributes \
--topic-arn "arn:aws:sns:ap-south-1:<account_id>:<topic_name>"
Implementation Steps:
Step 1: Sign in to AWS Management console and got SNS dashboard at https://console.aws.amazon.com/sns/v2/.
Step 2: Click on Topics in the left navigation pane
Step 3: Choose Topic to enable encryption in SNS
Step 4: Click on the Edit button
Step 5: Click on show/hidden in the Encryption Below Details
Step 6: To enable click on Enable Encryption radio button
Step 7: Select KMS Customer Master Key which you generated
After select your Keys you can see the Description, account and CMK ARN
Step 8: Click on Save Changes button
Using AWS CLI:
To enable the encryption in your SNS topic
aws sns set-topic-attributes \
--topic-arn arn:aws:sns:<region>:<account_id>:<topic_name> \
--attribute-name KmsMasterKeyId \
--attribute-value arn:aws:kms:<rgion>:accountid>:<give_the_name_of_KMS-CMK:alias>(alias/ExampleAlias)
You can also use the key id, key id arn or just alias name attribute value
Backout Plan:
Step 1: Sign in to AWS Management console and got SNS dashboard at https://console.aws.amazon.com/sns/v2/.
Step 2: Click on Topics in the left navigation pane
Step 3: Choose Topic to enable encryption in SNS
Step 4: Click on the Edit button
Step 5: Click on show/hide in the Encryption Below Details
Step 6: To disable click on Disable Encryption radio button
Step 7: Below the page on the right side click on the Saves Changes button