Amazon Simple Notification Service (SNS) is a managed messaging service for application-to-application (A2A) and application-to-person (A2P)
communication. SNS topics allows publisher systems to fanout messages to a large number of subscriber systems. Amazon SNS allows to encrypt messages
when they are received. In the case that adversaries gain physical access to the storage medium or otherwise leak a message they are not able to
access the data.
Ask Yourself Whether
- The topic contains sensitive data that could cause harm when leaked.
- There are compliance requirements for the service to store data encrypted.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It is recommended to encrypt SNS topics that contain sensitive information.
To do so, create a master key and assign the SNS topic to it. Note that this system does not encrypt the following:
- Topic metadata (topic name and attributes)
- Message metadata (subject, message ID, timestamp, and attributes)
- Data protection policy
- Per-topic metrics
Then, make sure that any publishers have the kms:GenerateDataKey* and kms:Decrypt permissions for the AWS KMS key.
See AWS SNS Key Management
Documentation for more information.
Sensitive Code Example
For AWS::SNS::Topic:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
Topic: # Sensitive, encryption disabled by default
Type: AWS::SNS::Topic
Properties:
DisplayName: "unencrypted_topic"
Compliant Solution
For AWS::SNS::Topic:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
Topic:
Type: AWS::SNS::Topic
Properties:
DisplayName: "encrypted_topic"
KmsMasterKeyId:
Fn::GetAtt:
- TestKey
- KeyId
See
