Ensure that Server-Side Encryption (SSE) is enabled for your AWS Simple Notification Service (SNS) topics for additional protection of sensitive data delivered as messages to subscribers. With the SSE feature enabled, when messages are published to encrypted topics, AWS SNS immediately encrypts the messages using a 256-bit AES-GCM algorithm and a Customer Master Key (CMK) issued by Amazon KMS service. AWS SNS Server-Side Encryption can work with both AWS-managed CMKs and customer-managed CMKs.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Amazon SNS Server-Side Encryption (SSE) feature protects the contents of the published messages within your SNS topics, making it ideal for security-sensitive applications with strict encryption compliance and regulatory requirements.
Audit
To determine if your Amazon SNS topics are using Server-Side Encryption, perform the following actions:
Remediation / Resolution
To enable Server-Side Encryption (SSE) for your Amazon Simple Notification Service (SNS) topics, perform the following actions:
References
- AWS Documentation
- Amazon SNS FAQs
- Getting Started with Amazon Simple Notification Service
- Amazon SNS Security
- Protecting Amazon SNS Data Using Server-Side Encryption (SSE) and AWS KMS
- Tutorial: Enabling Server-Side Encryption (SSE) for an Amazon SNS Topic
- AWS Command Line Interface (CLI) Documentation
- sns
- list-topics
- get-topic-attributes
- AWS Blog(s)
- Amazon SNS Adds Server-Side Encryption (SSE)
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Enable Server-Side Encryption for AWS SNS Topics
Risk level: High