Amazon Simple Notification Service (SNS) is a managed messaging service for application-to-application (A2A) and application-to-person (A2P) communication. SNS topics allows publisher systems to fanout messages to a large number of subscriber systems. Amazon SNS allows to encrypt messages when they are received. In the case that adversaries gain physical access to the storage medium or otherwise leak a message they are not able to access the data.

Ask Yourself Whether

• The topic contains sensitive data that could cause harm when leaked.
• There are compliance requirements for the service to store data encrypted.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is recommended to encrypt SNS topics that contain sensitive information.

To do so, create a master key and assign the SNS topic to it. Note that this system does not encrypt the following:

• Topic metadata (topic name and attributes)
• Message metadata (subject, message ID, timestamp, and attributes)
• Data protection policy
• Per-topic metrics

Then, make sure that any publishers have the kms:GenerateDataKey* and kms:Decrypt permissions for the AWS KMS key.

See AWS SNS Key Management Documentation for more information.

Sensitive Code Example

For aws_sns_topic:

resource "aws_sns_topic" "topic" {  # Sensitive, encryption disabled by default
  name = "sns-unencrypted"
}

Compliant Solution

For aws_sns_topic:

resource "aws_sns_topic" "topic" {
  name = "sns-encrypted"
  kms_master_key_id = aws_kms_key.enc_key.key_id
}

See

• AWS Documentation - Encryption at rest
• Encrypting messages published to Amazon SNS with AWS KMS
• CWE - CWE-311 - Missing Encryption of Sensitive Data
• STIG Viewer - Application Security and Development: V-222588 - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest.