Amazon Simple Notification Service (SNS) is a managed messaging service for application-to-application (A2A) and application-to-person (A2P)
communication. SNS topics allows publisher systems to fanout messages to a large number of subscriber systems. Amazon SNS allows to encrypt messages
when they are received. In the case that adversaries gain physical access to the storage medium or otherwise leak a message they are not able to
access the data.
Ask Yourself Whether
- The topic contains sensitive data that could cause harm when leaked.
- There are compliance requirements for the service to store data encrypted.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It is recommended to encrypt SNS topics that contain sensitive information.
To do so, create a master key and assign the SNS topic to it. Note that this system does not encrypt the following:
- Topic metadata (topic name and attributes)
- Message metadata (subject, message ID, timestamp, and attributes)
- Data protection policy
- Per-topic metrics
Then, make sure that any publishers have the kms:GenerateDataKey* and kms:Decrypt permissions for the AWS KMS key.
See AWS SNS Key Management
Documentation for more information.
Sensitive Code Example
For aws_sns_topic:
resource "aws_sns_topic" "topic" { # Sensitive, encryption disabled by default
name = "sns-unencrypted"
}
Compliant Solution
For aws_sns_topic:
resource "aws_sns_topic" "topic" {
name = "sns-encrypted"
kms_master_key_id = aws_kms_key.enc_key.key_id
}
See
