Back to All Checks
Medium SNS Regional

SNS topics should be encrypted at-rest using AWS KMS

NIST 800-53ISO 27001

Description

This control checks whether an Amazon SNS topic is encrypted at rest using keys managed by AWS Key Management Service (AWS KMS). The control fails if the SNS topic does not use a KMS key for server-side encryption (SSE). By default, SNS stores messages and files using disk encryption. To pass this control, you must explicitly choose to use a KMS key for encryption instead of the default disk encryption.

Remediation

Encrypt SNS topics with KMS keys for enhanced security. Encrypting data at rest with KMS keys provides an additional layer of security and offers more access control flexibility. It reduces the risk of data stored on disk being accessed by unauthorized users. Decrypting the data requires specific AWS API permissions.

Steps

  1. Open the Amazon SNS console.
  2. Select the SNS topic to configure.
  3. Go to the 'Encryption' section in the topic's settings.
  4. Enable server-side encryption (SSE) and select a KMS key.
  5. Save the encryption configuration.

Compliance

NIST 800-53ISO 27001
Start Your Free Security Check