Amazon Simple Notification Service (SNS) is a managed messaging service for application-to-application (A2A) and application-to-person (A2P)
communication. SNS topics allows publisher systems to fanout messages to a large number of subscriber systems. Amazon SNS allows to encrypt messages
when they are received. In the case that adversaries gain physical access to the storage medium or otherwise leak a message they are not able to
access the data.
Ask Yourself Whether
- The topic contains sensitive data that could cause harm when leaked.
- There are compliance requirements for the service to store data encrypted.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to encrypt SNS topics that contain sensitive information. Encryption and decryption are handled transparently by SNS, so no
further modifications to the application are necessary.
Sensitive Code Example
For aws_cdk.aws_sns.Topic
import { Topic } from 'aws-cdk-lib/aws-sns';
new Topic(this, 'exampleTopic'); // Sensitive
For aws_cdk.aws_sns.CfnTopic
import { Topic, CfnTopic } from 'aws-cdk-lib/aws-sns';
new CfnTopic(this, 'exampleCfnTopic'); // Sensitive
Compliant Solution
For aws_cdk.aws_sns.Topic
import { Topic } from 'aws-cdk-lib/aws-sns';
const encryptionKey = new Key(this, 'exampleKey', {
enableKeyRotation: true,
});
new Topic(this, 'exampleTopic', {
masterKey: encryptionKey
});
For aws_cdk.aws_sns.CfnTopic
import { CfnTopic } from 'aws-cdk-lib/aws-sns';
const encryptionKey = new Key(this, 'exampleKey', {
enableKeyRotation: true,
});
cfnTopic = new CfnTopic(this, 'exampleCfnTopic', {
kmsMasterKeyId: encryptionKey.keyId
});
See
