- Knowledge Base
- Amazon Web Services
- Amazon Simple Notification Service (SNS)
- SNS Topic Encrypted With KMS Customer Master Keys
Ensure that your Amazon Simple Notification Service (SNS) topics are using KMS Customer Master Keys (CMKs) instead of AWS-managed keys (i.e. default keys used when there are no customer keys defined) in order to benefit from a more granular control over your SNS data encryption/decryption process.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you create and use your own customer-provided Customer Master Keys (CMKs) to protect Amazon SNS data, you gain full control over who can use the keys and access your data. The Amazon KMS service allows you to create, rotate, disable, enable, and audit CMK encryption keys for SNS topics.
Audit
To determine if Server-Side Encryption (SSE) with Customer Master Keys (CMKs) is enabled for your Amazon SNS topics, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/v3.
03 In the main navigation panel, under Amazon SNS, choose Topics.
04 Click on the name (link) of the SNS topic that you want to examine.
05 Select the Encryption tab from the console bottom panel and check the Encryption attribute status. If the Encryption status is set to Disabled, Server-Side Encryption (SSE) is not enabled for the selected SNS topic. If the Encryption status is set to Configured, check the Customer master key (CMK) attribute value. If the Customer master key (CMK) value is set to (Default) alias/aws/sns, the selected Amazon SNS topic is using the default master key (AWS-managed key) instead of a Customer Master Key (CMK) for Server-Side Encryption (SSE).
06 Repeat steps no. 4 and 5 for each Amazon SNS topic available within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run list-topics command (OSX/Linux/UNIX) to list the Amazon Resource Name (ARN) of each Amazon SNS topic available in the selected AWS cloud region:
aws sns list-topics --region us-east-1 --output table --query 'Topics[]'
02 The command output should return a table with the requested SNS topic ARNs:
----------------------------------------------------------- | ListTopics | +---------------------------------------------------------+ | TopicArn | +---------------------------------------------------------+ | arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic | | arn:aws:sns:us-east-1:123456789012:cc-prod-sns-stack | | arn:aws:sns:us-east-1:123456789012:cc-main-sns-topic | +---------------------------------------------------------+
03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon SNS topic that you want to examine as the identifier parameter to describe the ARN of the KMS master key used by the selected SNS topic for Server-Side Encryption (SSE):
aws sns get-topic-attributes --region us-east-1 --topic-arn arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic --query 'Attributes.KmsMasterKeyId'
04 The command output should return the requested ARN or null if the Server-Side Encryption (SSE) is not enabled:
"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
05 Run describe-key command (OSX/Linux/UNIX) using the ARN of the master key returned at the previous step as the identifier parameter to describe manager of the specified KMS key:
aws kms describe-key --region us-east-1 --key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd --query 'KeyMetadata.KeyManager'
06 The command output should the master key manager ("AWS" if the master key is AWS-managed, and "CUSTOMER" if the key is customer-provided):
"AWS"
If the describe-key command output returns "AWS", as shown in the output example above, the selected Amazon SNS topic is using the default master key (AWS-managed key) instead of a Customer Master Key (CMK) for Server-Side Encryption (SSE).
07 Repeat steps no. 3 – 6 for each Amazon SNS topic available in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To use your own KMS Customer Master Key (CMK) for Amazon SNS Server-Side Encryption (SSE), perform the following actions:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Use Customer Master Keys (CMKs) for Server-Side Encryption (SSE)", "Parameters": { "SNSTopicName": { "Type": "String", "Description": "Topic Name", "Default": "cc-sns-topic" } }, "Resources": { "AWSSNSTopic": { "Type": "AWS::SNS::Topic", "Properties": { "TopicName": { "Ref": "SNSTopicName" }, "Subscription": [ { "Endpoint": "user@domain.com", "Protocol": "email" } ], "KmsMasterKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234" } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Use Customer Master Keys (CMKs) for Server-Side Encryption (SSE) Parameters: SNSTopicName: Type: String Description: Topic Name Default: cc-sns-topic Resources: AWSSNSTopic: Type: AWS::SNS::Topic Properties: TopicName: !Ref 'SNSTopicName' Subscription: - Endpoint: user@domain.com Protocol: email KmsMasterKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { region = "us-east-1" } resource "aws_sns_topic" "cc-sns-topic" { name = "cc-trail-sns-topic" # Use Customer Master Keys (CMKs) for Server-Side Encryption (SSE) kms_master_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234" } resource "aws_sns_topic_subscription" "cc-sns-topic-target" { topic_arn = aws_sns_topic.cc-sns-topic.arn protocol = "email" endpoint = "user@domain.com" }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.
03 In the main navigation panel, under Key Management Service (KMS), select Customer managed keys.
04 Choose the Create Key button from the console top menu to initiate the CMK setup process.
05 For Step 1 Configure key, perform the following operations:
- Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
- Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
- Under Advanced options, for Regionality, select whether to allow the new key to be replicated into other AWS regions.
- Choose Next to continue.
06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – optional box. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Next to continue the setup process.
07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.
08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your SNS data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Next to continue.
09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your new Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".
10 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/v3.
11 In the main navigation panel, under Amazon SNS, choose Topics.
12 Click on the name (link) of the SNS topic that you want to reconfigure.
13 Choose Edit from the console top menu to access the topic configuration settings.
14 Select the Encryption – optional tab and perform the following actions:
- Ensure that Enable encryption option is selected (active).
- Click inside the Customer master key (CMK) box and select the Amazon KMS Customer Master Key (CMK) created at the previous steps.
- Choose Save changes to apply the configuration changes.
15 Repeat steps no. 12 – 14 to enable Server-Side Encryption (SSE) with Customer Master Keys (CMKs) for each Amazon SNS topic available within the current AWS region.
16 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.
Using AWS CLI
01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your Amazon SNS data using the KMS API. Create a new policy document (JSON format), name the file sns-data-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{ "Id": "protected-cmk-policy", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] }
02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. sns-data-cmk-policy.json) as value for the --policy parameter, to create your new, customer-managed Customer Master Key (CMK):
aws kms create-key --region us-east-1 --description 'Customer Master Key for SNS Server-Side Encryption' --policy file://sns-data-cmk-policy.json --query 'KeyMetadata.Arn'
03 The command output should return the ARN of the new Customer Master Key (CMK):
"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
04 rong>command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):
aws kms create-alias --region us-east-1 --alias-name alias/SnsSseCmk --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
05 Run set-topic-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon SNS topic that you want to encrypt as the identifier parameter, to enable Server-Side Encryption (SSE) for the selected topic using the customer-provided Customer Master Key (CMK) created and configured at the previous steps (the command does not produce an output):
aws sns set-topic-attributes --region us-east-1 --topic-arn arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic --attribute-name KmsMasterKeyId --attribute-value arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
06 Repeat step no. 5 to enable Server-Side Encryption (SSE) with Customer Master Keys (CMKs) for each Amazon SNS topic available in the selected AWS region.
07 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the Remediation process for other regions.
References
- AWS Documentation
- Amazon SNS FAQs
- Getting started with Amazon SNS
- Amazon SNS Security
- Encryption at rest
- What is Amazon SNS?
- AWS Command Line Interface (CLI) Documentation
- sns
- list-topics
- get-topic-attributes
- set-topic-attributes
- kms
- describe-key
- create-key
- create-alias
- CloudFormation Documentation
- Amazon Simple Notification Service resource type reference
- Terraform Documentation
- AWS Provider