Description:
AWS Simple Notification Service (SNS) topics can be encrypted at rest using a customer-managed KMS key (CMK). This helps to protect the data in the topic from unauthorized access.

Rationale:
Data in SNS topics is stored in the AWS Cloud, which is a secure environment. However, it is still possible for unauthorized users to access the data if it is not encrypted. By encrypting the data in SNS topics, you can help to protect it from unauthorized access.

Impact:
If SNS topics are not encrypted at rest, then they could be vulnerable to attack. This could lead to unauthorized access to sensitive data, such as customer PII, financial data, and intellectual property.

Default Value:
By default, SNS topics are not encrypted at rest. You must explicitly enable encryption for each topic.

Pre-requisites:

  • You must have an AWS account and be logged in to the AWS Management Console.
  • You must have a CMK created in KMS.


Remediation Steps:

  1. Sign in to the AWS Management Console.
  2. Go to the AWS SNS console.
  3. Click the name of the topic that you want to encrypt.
  4. On the Topic details page, click the Encryption tab.
  5. In the Encryption at rest section, select the Enable encryption at rest checkbox.
  6. Select the CMK that you want to use for encryption.
  7. Click Save.


Test Plan:

  1. Verify that the Enable encryption at rest checkbox is selected.
  2. Verify that the CMK that you selected is the correct key.
  3. Try to access the data in the topic using the AWS CLI.
  4. If you are unable to access the data, then it is encrypted.


Implementation Plan:

  1. Create a policy that requires all SNS topics to be encrypted at rest.
  2. Implement the policy by enabling encryption for all SNS topics.
  3. Monitor the status of the policy to ensure that all SNS topics are encrypted at rest.


AWS CLI Process:

  1. Run the following command to enable encryption for an SNS topic:
aws sns update-topic --topic-arn arn:aws:sns:us-east-1:123456789012:my-topic --encryption-enabled true --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

Using AWS GUI:

  1. Go to the AWS SNS console.
  2. Click the name of the topic that you want to encrypt.
  3. On the Topic details page, click the Encryption tab.
  4. In the Encryption at rest section, select the Enable encryption at rest checkbox.
  5. Select the CMK that you want to use for encryption.
  6. Click Save.


Backout Plan:

  1. If you accidentally enable encryption for an SNS topic that should not be encrypted, you can disable encryption by following the same steps as above, but unselecting the Enable encryption at rest checkbox.
  2. You can also roll back the policy that requires all SNS topics to be encrypted at rest.

Note:

  • This policy only applies to SNS topics that are encrypted at rest using a CMK. Other SNS topics may not be encrypted.
  • You can also use the AWS CLI or the AWS SNS API to enable encryption for SNS topics.
  • For   more  information,  see  the  AWS  SNS  documentation  on   encrypting  topics  at  rest: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html.

Reference:

https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html