Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: SNS Topics should be encrypted at rest

This rule ensures that SNS topics are securely encrypted at rest.

RuleSNS topics should be encrypted at rest
FrameworkCISA-cyber-essentials
Severity
Medium

Rule/Policy Description:

SNS (Simple Notification Service) topics should be encrypted at rest for CISA (Cybersecurity and Infrastructure Security Agency) Cyber Essentials compliance. This policy ensures that the data stored in SNS topics is protected and cannot be accessed or tampered with by unauthorized individuals.

Troubleshooting Steps:

If you are experiencing issues with encrypting SNS topics at rest, follow these troubleshooting steps:

  2. 1.
    Check IAM Permissions: Ensure that the IAM (Identity and Access Management) user or role associated with the SNS topic has the required permissions to enable encryption at rest. Verify that the IAM policy includes the necessary encryption-related actions.
  4. 2.
    Audit Encryption Settings: Review the encryption settings for the SNS topic to ensure that encryption at rest is enabled and using the appropriate encryption algorithm.
  6. 3.
    Verify AWS KMS Configuration: If using AWS Key Management Service (KMS) for encryption, confirm that the correct KMS key alias or ARN (Amazon Resource Name) is specified in the SNS topic configuration.
  8. 4.
    Check AWS CloudTrail Logs: Consult the CloudTrail logs to identify any potential issues related to SNS topic encryption. Look for error messages or logs indicating failures in enabling encryption at rest.

Necessary Codes:

If encryption at rest is not enabled for SNS topics, use the following code to enable encryption:

aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name KmsMasterKeyId --attribute-value <kms-key-arn>

Replace 

<topic-arn>
with the ARN of the SNS topic and 
<kms-key-arn>
with the ARN of the KMS key to be used for encryption.

Step-by-Step Guide for Remediation:

Follow these steps to enable encryption at rest for SNS topics:

  2. 1.
    Identify the SNS Topic: Determine the specific SNS topic that requires encryption at rest. Make a note of its ARN.
  4. 2.
    Select Encryption Method: Decide whether to use AWS KMS or another encryption method to encrypt the SNS topic data at rest.
  6. 3.
    Create/Register a KMS Key (if applicable): If you choose to use AWS KMS, ensure that a suitable KMS key exists. If not, create a new KMS key or register an existing key.
  8. 4.
    Enable Encryption at Rest: Use the necessary code provided above or AWS Management Console to enable encryption at rest for the SNS topic.
  10. 5.
    Validate Encryption: Verify that encryption at rest is now enabled for the SNS topic by checking the topic attributes or configuration details.
  12. 6.
    Test SNS Functionality: Test the SNS topic functionality to confirm that enabling encryption at rest has not affected the normal operation of the topic.
  14. 7.
    Monitor for Compliance: Implement monitoring and regular checks to ensure ongoing compliance with the SNS topic encryption policy.

Note: It is recommended to consult the relevant AWS documentation for more detailed instructions and guidance specific to your AWS account and configuration.

Is your System Free of Underlying Vulnerabilities?
Find Out Now