Skip to content

Ensure SNS topic uses a Custom Master Key

Description

Amazon SNS is a publishers and subscribers messaging service. When you publish messages to encrypted topics, customer master keys (CMK), powered by AWS KMS, can be used to encrypt your messages.

If you operate in a regulated market, such as HIPAA for healthcare, PCI DSS for finance, or FedRAMP for government, you need to ensure sensitive data messages passed in this service are encrypted at rest.

Fix - Runtime

SNS Console

  1. Navigate to the SNS console in AWS and select Topics on the left.
  2. Open a topic.
  3. In the top-right corner, click Edit.
  4. Under Encryption, select Enable encryption.
  5. Select a customer master key.

CLI Command

aws sns set-topic-attributes 
--topic-arn <TOPIC_ARN> 
--attribute-name "KmsMasterKeyId" 
--attribute-value <KEY>

The ARN format is arn:aws:sns:REGION:ACCOUNTID:TOPIC_NAME

The key is a reference to a KMS key or alias. Add the Arn for your CMK, do not use any alias e.g. alias/aws/sns or the arns for the AWS keys.

Fix - Buildtime

Terraform

  • Resource: aws_sns_topic
  • Argument: kms_master_key_id - (Optional) The ID of a custom CMK.
resource "aws_sns_topic" "example" {
  ...
  name              = "user-updates-topic"
+ kms_master_key_id = "arn:aws:kms:eu-west-2:680235478471:key/252845b2-0345-41c9-a3f0-55d30384d306"
}

CloudFormation

  • Resource: AWS::SNS::Topic
  • Argument: Properties.KmsMasterKeyId
Type: AWS::SNS::Topic
    Properties:
      ...
+     KmsMasterKeyId: "kms_id"