Ensure that your AWS Simple Notification Service (SNS) topics are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys (default keys used by the SNS service when there are no customer-managed keys created) in order to have a more granular control over the SNS data-at-rest encryption and decryption process.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you use your own AWS KMS Customer Master Keys (CMKs) to protect your SNS data from unauthorized users, you have full control over who can use the encryption keys to access your data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon SNS topics.
Audit
To determine the encryption status and configuration for your AWS SNS topics, perform the following actions:
Remediation / Resolution
To encrypt Amazon SNS topic data with your own KMS Customer Master Key (CMK), perform the following actions:
Note: Enabling encryption at rest using customer-managed CMKs for existing Amazon SNS topics using the AWS API via Command Line Interface (CLI) is not currently supported.References
- AWS Documentation
- Amazon SNS FAQs
- Amazon SNS Security
- Protecting Amazon SNS Data Using Server-Side Encryption (SSE) and AWS KMS
- Tutorial: Enabling Server-Side Encryption (SSE) for an Amazon SNS Topic
- AWS Command Line Interface (CLI) Documentation
- sns
- list-topics
- get-topic-attributes
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
SNS Topic Encrypted With KMS Customer Master Keys
Risk level: High