Rule: SNS topics should be encrypted at rest
This rule ensures that all SNS topics are encrypted at rest for enhanced security measures.
| Rule | SNS topics should be encrypted at rest |
| Framework | GxP EU Annex 11 |
| Severity | ✔ Medium |
AWS SNS Topic Encryption for GxP Compliance
To comply with Good Manufacturing Practice (GMP) as governed by the European Union's Annex 11, Amazon Simple Notification Service (SNS) topics should be encrypted at rest to ensure the confidentiality and integrity of messages containing sensitive data.
Understanding GxP EU Annex 11 Compliance
GxP (Good X Practice) is a collection of quality guidelines and regulations. The EU Annex 11 is a directive concerning computerized systems used within pharmaceutical and clinical environments. It requires that data is protected against unauthorized access or changes, and encryption at rest is a key part of meeting this directive.
Encryption at Rest for SNS Topics
AWS SNS supports encryption at rest using AWS Key Management Service (KMS) which uses customer master keys (CMKs) to encrypt your messages. Enabling encryption ensures that your messages are not accessible in an unencrypted form while stored.
Step by Step Guide for SNS Topic Encryption
Step 1: Select or Create a KMS CMK
Ensure a KMS CMK is available for use or create a new one:
# Create a new CMK (if necessary) aws kms create-key --description "SNS encryption/decryption" --policy "policy.json"
Using the
policy.jsonStep 2: Encrypt an SNS Topic
Enable encryption by setting the SNS topic's
KmsMasterKeyId# Encrypt the SNS topic aws sns set-topic-attributes --topic-arn "arn:aws:sns:region:account-id:topic-name" --attribute-name KmsMasterKeyId --attribute-value "arn:aws:kms:region:account-id:key/key-id"
Step 3: Verify Encryption
Ensure that the SNS topic's attributes reflect the use of the KMS key:
# Retrieve the SNS topic attributes aws sns get-topic-attributes --topic-arn "arn:aws:sns:region:account-id:topic-name"
Troubleshooting
Issue: Encryption Not Enabled
If the SNS topic appears unencrypted:
- Check the topic attributes to confirm the
setting.KmsMasterKeyId - Validate that the KMS key policy allows the SNS service to use it for encryption purposes.
Issue: Permissions Errors
Errors might occur if the IAM role or user does not have proper permissions:
- Look into the IAM policies to make sure there's permission to access the KMS CMK, along with the
andkms:Encrypt
actions.kms:Decrypt - Ensure that the SNS service principal has permissions to use the key specified.
Issue: KMS Key Unavailable
- Ensure the KMS key is active and available.
- Check the KMS key policy to ensure it hasn't been inadvertently changed or restricted.
Necessary CLI Commands Reference
- Create KMS Key:
aws kms create-key - Set Topic Attributes:
aws sns set-topic-attributes - Get Topic Attributes:
aws sns get-topic-attributes
In following these steps and troubleshooting any issues that arise, companies can enhance their messaging security and ensure compliance with GxP EU Annex 11 requirements for encrypted at-rest data within the AWS SNS service. Proper adherence to encryption standards is not just a regulatory matter but also a component of company reputation and client trust.