Profile Applicability

  • Level 2

Description

Amazon SNS supports server-side encryption (SSE) to protect the contents of messages using AWS Key Management Service (KMS). Enabling encryption ensures that sensitive data is protected at rest, meeting security and compliance requirements. Unencrypted SNS topics may expose sensitive information to unauthorized access.

Rationale

  • Enhanced Security: Protects sensitive data stored in SNS topics from unauthorized access.

  • Compliance: Meets regulatory requirements for data encryption and privacy.

  • Risk Mitigation: Reduces the risk of data breaches and unauthorized access.

Impact

Pros:

  • Safeguards sensitive data in SNS topics.

  • Aligns with compliance and security best practices.

  • Provides centralized key management using AWS KMS.

Cons:

  • Requires additional configuration to enable encryption.

  • May incur costs for using AWS KMS.

Default Value

By default, SNS topics are not encrypted. Encryption must be explicitly enabled.

Pre-Requisite

IAM Permissions:

  • sns:ListTopics

  • sns:GetTopicAttributes

  • sns:SetTopicAttributes

  • AWS CLI installed and configured.

Remediation

Test Plan: Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the SNS Dashboard.

  3. Select Topics from the left-hand menu.

  4. For each topic, check the Encryption section under the topic's attributes. Verify if encryption is enabled.

Using AWS CLI:

  1. List All SNS Topics:

    aws sns list-topics --query "Topics[*].TopicArn"

  2. Check Encryption Status for Each Topic:

    aws sns get-topic-attributes --topic-arn <topic-arn> --query "Attributes.KmsMasterKeyId"


Implementation Steps:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the SNS Dashboard.

  3. Select the topic to update.

  4. Click Edit and expand the Encryption section.

  5. Enable encryption by selecting an AWS-managed key or a Customer Managed Key (CMK) from AWS KMS.

  6. Save the changes.

Using AWS CLI:

  1. Enable Encryption for a Topic:

    aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name KmsMasterKeyId --attribute-value <kms-key-id>

  2. Verify the Changes:

    aws sns get-topic-attributes --topic-arn <topic-arn> --query "Attributes.KmsMasterKeyId"

Backout Plan

Using AWS Console:

  1. If enabling encryption causes issues with topic publishing or subscriptions, you can disable encryption.

  2. Navigate to Amazon SNS in the AWS Management Console, select the topic, and under the Encryption section, choose Disable Encryption.

  3. Save your changes and verify that the topic is no longer encrypted.

Using AWS CLI:

  1. To disable encryption, use the following command:

    aws sns set-topic-attributes --topic-arn <TOPIC_ARN> --attribute-name KmsMasterKeyId --attribute-value "" --region <REGION>

  2. Verify that encryption has been disabled:

    aws sns get-topic-attributes --topic-arn <TOPIC_ARN> --region <REGION>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.