Description

Amazon SNS is a publishers and subscribers messaging service. When you publish messages to encrypted topics, customer master keys (CMK), powered by AWS KMS, can be used to encrypt your messages.

If you operate in a regulated market, such as HIPAA for healthcare, PCI DSS for finance, or FedRAMP for government, you need to ensure sensitive data messages passed in this service are encrypted at rest.

Fix - Runtime

Navigate to the SNS console in AWS and select Topics on the left.
Open a topic.
In the top-right corner, click Edit.
Under Encryption, select Enable encryption.
Select a customer master key.

CLI Command

aws sns set-topic-attributes 
--topic-arn <TOPIC_ARN> 
--attribute-name "KmsMasterKeyId" 
--attribute-value <KEY>

The ARN format is arn:aws:sns:REGION:ACCOUNTID:TOPIC_NAME

The key is a reference to a KMS key or alias. Add the Arn for your CMK, do not use any alias e.g. alias/aws/sns or the arns for the AWS keys.

Fix - Buildtime

Terraform

Resource: aws_sns_topic
Argument: kms_master_key_id - (Optional) The ID of a custom CMK.

resource "aws_sns_topic" "example" {
  ...
  name              = "user-updates-topic"
+ kms_master_key_id = "arn:aws:kms:eu-west-2:680235478471:key/252845b2-0345-41c9-a3f0-55d30384d306"
}

CloudFormation

Resource: AWS::SNS::Topic
Argument: Properties.KmsMasterKeyId

Type: AWS::SNS::Topic
    Properties:
      ...
+     KmsMasterKeyId: "kms_id"