Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: SNS Topics Encryption at Rest

Ensure that SNS topics are encrypted at rest for enhanced security.

RuleSNS topics should be encrypted at rest
FrameworkNIST 800-171 Revision 2
Severity
Medium

Rule Description

SNS topics in the AWS environment should be encrypted at rest according to the guidelines set by the National Institute of Standards and Technology (NIST) 800-171 Revision 2. Encryption at rest ensures that sensitive information within SNS topics remains secure even if an unauthorized person gains access to the underlying storage.

Troubleshooting Steps

If encryption at rest for SNS topics is not properly implemented, it may pose a risk to the security and confidentiality of sensitive data. Here are the troubleshooting steps:

  1. 1.

    Ensure AWS Key Management Service (KMS) permissions: Verify that the AWS Key Management Service (KMS) permissions are properly configured to allow encryption and decryption operations for SNS topics.

  2. 2.

    Check encryption status: Confirm whether encryption at rest is enabled for SNS topics. You can use the AWS CLI or AWS Management Console to check the encryption status.

  3. 3.

    Verify KMS key policies: Ensure that the Key Management Service (KMS) key used for SNS topic encryption has proper key policies in place. The policies should allow necessary actions for SNS topics while restricting unauthorized access.

  4. 4.

    Review SNS topic policies: Examine the SNS topic policies to ensure that the necessary permissions are defined for encryption at rest. Make sure that only authorized services and IAM roles have access to the encrypted SNS topics.

  5. 5.

    Check CMK (Customer Master Key) rotation: Confirm that CMK rotation for KMS keys linked to SNS topics is enabled. Regular key rotation ensures the highest level of security.

Necessary Codes (if applicable)

In this case, there are no specific codes needed for the implementation of this rule. Encryption at rest for SNS topics can be achieved by enabling the relevant settings and permissions within the AWS Management Console or by using appropriate AWS CLI commands if necessary.

Step-by-step Remediation Guide

Follow the step-by-step guide to remediate the issue if encryption at rest for SNS topics is not implemented according to NIST 800-171 Revision 2:

  1. 1.

    Enable encryption at rest: Go to the AWS SNS console at https://console.aws.amazon.com/sns/.

    • Select the SNS topic that needs to be encrypted.
    • Click on "Edit topic details" for the selected topic.
    • Under "Show advanced settings," check the box for "Enable server-side encryption."
    • Choose an appropriate KMS CMK (Customer Master Key) or create a new one if needed.
    • Click on "Save changes" to enable encryption at rest for the SNS topic.
  2. 2.

    Validate proper encryption at rest: After enabling encryption, verify that the SNS topic is now encrypted at rest.

    • Go to the SNS console and select the encrypted topic.
    • Check the topic details to ensure that encryption is enabled and that it is using the desired KMS CMK.
  3. 3.

    Review KMS key policies: Validate the key policies associated with the KMS CMK used for SNS topic encryption.

    • Go to the AWS Key Management Service (KMS) console at https://console.aws.amazon.com/kms/.
    • Select the relevant KMS key used for SNS topic encryption.
    • Verify that the key policies align with security requirements and meet the guidelines of NIST 800-171 Revision 2.
  4. 4.

    Review SNS topic policies: Ensure that the SNS topic policies are properly configured to enforce encryption at rest.

    • Go to the SNS console and select the encrypted topic.
    • Click on "Edit topic policy" to review the topic policy.
    • Confirm that the policy permits necessary actions for the SNS topic while restricting unauthorized access.
  5. 5.

    Enable KMS key rotation: Ensure that CMK rotation is enabled for the KMS key associated with SNS topic encryption.

    • Go to the KMS console and select the relevant KMS key.
    • Enable the rotation of the key if it is not already enabled.
    • Review and adjust the key rotation settings as per security requirements.

By following the above steps, you can ensure that SNS topics in the AWS environment are encrypted at rest, complying with the NIST 800-171 Revision 2 guidelines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now