Ensure server side encryption (SSE) is enabled for Amazon Simple Notification Service (SNS) Topic

MEDIUM

Description

AWS SNS Topics has server side encryption (SSE) disabled which may lead to sensitive data exposure.

Remediation

In AWS Console -

Sign in to AWS Console and go to the Amazon SNS console.
In the navigation panel, select Topics.
In the Topics page, select a topic and select Actions, Edit.
Expand the Encryption section and do the following:
a. Choose Enable encryption.
b. Specify the customer master key (CMK).

In Terraform -

In the aws_sns_topic resource, set the kms_kms_master_key_id field to a valid KMS key.

References:
https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#kms_master_key_id

Policy Details

Rule Reference ID: AC_AWS_0364

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_sns_topic

Resource Category: Messaging

Resource Type: Simple Notification Service (SNS)

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
ISO-27001
SOC2