Ensure AWS SNS topic has SSE enabled

Error: AWS SNS topic has SSE disabled

Bridgecrew Policy ID: BC_AWS_GENERAL_15
Checkov Check ID: CKV_AWS_26
Severity: MEDIUM

AWS SNS topic has SSE disabled

Description

Amazon SNS is a publishers and subscribers messaging service. When you publish messages to encrypted topics, customer master keys (CMK), powered by AWS KMS, can be used to encrypt your messages.

If you operate in a regulated market, such as HIPAA for healthcare, PCI DSS for finance, or FedRAMP for government, you need to ensure sensitive data messages passed in this service are encrypted at rest.

Fix - Runtime

SNS Console

  1. Navigate to the SNS console in AWS and select Topics on the left.
  2. Open a topic.
  3. In the top-right corner, click Edit.
  4. Under Encryption, select Enable encryption.
  5. Select a customer master key - you can use the default AWS key or a custom key in KMS.

CLI Command

aws sns set-topic-attributes 
--topic-arn <TOPIC_ARN> 
--attribute-name "KmsMasterKeyId" 
--attribute-value <KEY>

The ARN format is arn:aws:sns:REGION:ACCOUNTID:TOPIC_NAME

The key is a reference to a KMS key or alias. Use alias/aws/sns for the default AWS key.

Fix - Buildtime

Terraform

  • Resource: aws_sns_topic
  • Argument: kms_master_key_id - (Optional) The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK.
resource "aws_sns_topic" "example" {
  ...
  name              = "user-updates-topic"
+ kms_master_key_id = "alias/aws/sns"
}

CloudFormation

  • Resource: AWS::SNS::Topic
  • Argument: Properties.KmsMasterKeyId
Type: AWS::SNS::Topic
    Properties:
      ...
+     KmsMasterKeyId: "kms_id"

Did this page help you?