Ensure that AWS SNS topic is encrypted using Customer Managed Keys instead of AWS-owned CMKs
AWS SNS topic should be encrypted using Customer Managed Keys instead of AWS-owned CMKs. This is required in order to meet encryption regulatory requirements of Server-Side encryption for sensitive data that may be stored in the topic.
Risk Level: Low
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.AWS.CRY.51
Category: Application Integration
GSL LOGIC
SnsTopic where cryptoKey.enabled=true should have cryptoKey.isCustomerManaged=true
REMEDIATION
From Portal
Perform the following steps to setup at-rest encryption using customer managed key:
- Sign on to the Amazon SNS console
- On the navigation panel, choose Topics.
- Click on the topic you want to enable encryption for.
- In the top-right corner, click Edit.
- Under Encryption, Enable encryption tab.
- Under Customer master Key (CMK), enter an existing customer managed key ARN.
From TF
resource "aws_sns_topic" "test" {
name = "example_name"
- kms_master_key_id = "CUSTOMER_MANAGED_KEY"
+ kms_master_key_id = "CUSTOMER_MANAGED_KEY"
}
From Command Line
aws sns set-topic-attributes --topic-arn VALUE --attribute-name KMS_MASTER_KEY_ID --attribute-value CUSTOMER_MANAGED_KEY
References
- https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-enable-encryption-for-topic.html
- https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html
- https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
SNS Topic
An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
Updated over 1 year ago