🛡️ AWS SNS Topic is not encrypted with a KMS key🟢

Contextual name: 🛡️ Topic is not encrypted with a KMS key🟢
ID: /ce/ca/aws/sns/topic-encryption-with-kms
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS SNS Topic
- 🔌 AWS SNS Topic - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [SNS.1] SNS topics should be encrypted at-rest using AWS KMS

Description

Description

This policy identifies AWS SNS Topics that are not configured with server-side encryption (SSE) using an AWS KMS key.

Rationale

Enabling server-side encryption for SNS topics is a security measure that protects message data stored at rest. Using an AWS KMS key provides centralized management of encryption keys, including key rotation, access control, and auditing capabilities, helping to maintain compliance with organizational and regulatory data protection standards.

Audit

This policy flags an SNS Topic as INCOMPLIANT if the KMS Key ID field is empty.

Remediation

Open File

Remediation

From Command Line

To enable server-side encryption for an SNS topic using an AWS KMS key, run the following command:

aws sns set-topic-attributes \
    --topic-arn {{topic-arn}} \
    --attribute-name KmsMasterKeyId \
    --attribute-value {{kms-key-id}}

Additional Considerations

Include the following in the key policy to allow Amazon SNS to encrypt and decrypt messages:

{ 
    "Effect": "Allow", 
    "Principal": { 
        "Service": "sns.amazonaws.com" 
     },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*",
    "Condition": {
        "ArnLike": { 
            "aws:SourceArn": "arn:aws:{{service}}:{{region}}:{{account-id}}:{{resource-type}}/{{resource-id}}" 
        },
        "StringEquals": { 
            "kms:EncryptionContext:aws:sns:topicArn": "arn:aws:sns:{{region}}:{{account-id}}:{{sns-topic-name}}" 
        }
    }
}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			19	no data
💼 Cloudaware Framework → 💼 Data Encryption			66	no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			16	no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	73	no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			16	no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	40	no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	35	no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	24	no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			42	no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			40	no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		35	no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			24	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		59	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			40	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		35	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			24	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			161	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			173	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			149	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			169	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			112	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			39	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	80	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		29	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	36	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	24	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			25	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Enable Server-Side Encryption for SNS Topics Using KMS Keys​

From Command Line​

Additional Considerations​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Enable Server-Side Encryption for SNS Topics Using KMS Keys

From Command Line

Additional Considerations

policy.yaml

Linked Framework Sections