CloudWiki
Rules
Medium

Ensure SNS encryption is enabled

Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
NIST4
PCI-DSS
CIS 8
NIST 800-53
CSA CCM
HITRUST
AWS Foundational Security Best Practices Controls
Description

The Server-Side Encryption (SSE) feature in AWS Simple Notification Service (SNS) ensures the security of the content of published messages within your SNS topics, making it a suitable choice for applications with strict encryption compliance and regulatory requirements. To provide additional protection for sensitive data delivered as messages to subscribers, enable Server-Side Encryption (SSE) for your AWS SNS topics. By enabling the SSE feature, AWS SNS encrypts messages using a 256-bit AES-GCM algorithm and a Customer Master Key (CMK) issued by Amazon KMS service as soon as messages are published to encrypted topics. The AWS SNS Server-Side Encryption feature can function with both AWS-managed CMKs and customer-managed CMKs.

Remediation

To ensure additional protection of sensitive data delivered as messages to subscribers in AWS Simple Notification Service (SNS), follow these remediation steps to enable encryption:

  1. Open the Amazon SNS console
  2. In the navigation pane, choose "Topics".
  3. Choose the SNS topic for which you want to enable SSE encryption.
  4. Choose the "Encryption" tab.
  5. Select the "Enable encryption" checkbox.
  6. Choose the CMK that you want to use to encrypt the messages, either an AWS-managed CMK or a customer-managed CMK.
  7. Click "Save changes".

Once SSE encryption is enabled for your SNS topic, messages published to the encrypted topic will be immediately encrypted using a 256-bit AES-GCM algorithm and a Customer Master Key (CMK) issued by Amazon KMS service. This will help you meet strict encryption compliance and regulatory requirements, and ensure the protection of sensitive data in your SNS messages.

Enforced Resources
SNS
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.