Rule: SNS Topics should be encrypted at rest
This rule ensures that SNS topics are properly encrypted to protect sensitive data.
| Rule | SNS topics should be encrypted at rest |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
The rule requires SNS (Simple Notification Service) topics to be encrypted at rest according to the NIST (National Institute of Standards and Technology) 800-53 Revision 5 security standards. Encryption at rest ensures that the data stored in SNS topics remains secure and protected from unauthorized access.
Troubleshooting Steps:
- 1.Verify Encryption Configuration: Check the encryption settings of the SNS topics to ensure that they are properly configured to enable encryption at rest.
- 2.Check Access Policies: Ensure that the necessary access policies are in place to restrict access to the SNS topics and prevent unauthorized users from accessing sensitive data.
- 3.Review AWS Key Management Service (KMS): Check the KMS configuration to ensure that the appropriate encryption keys are being utilized for encrypting the SNS topics.
- 4.Encryption Key Permissions: Ensure that the encryption keys used for SNS topic encryption have the necessary permissions to access and decrypt the data.
- 5.Test Notifications: Test the SNS topic to verify that notifications are still functioning correctly after enabling encryption at rest.
Code Examples:
- 1.AWS CLI Command to Enable Encryption for an SNS Topic:
aws sns set-topic-attributes \ --topic-arn <topic-arn> \ --attribute-name KmsMasterKeyId \ --attribute-value <kms-key-id>
Replace
<topic-arn><kms-key-id>- 1.AWS CloudFormation Template to Create an Encrypted SNS Topic:
Resources:
MySNSTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: My Encrypted SNS Topic
Subscription:
- Protocol: email
Endpoint: example@example.com
KmsMasterKeyId: <kms-key-id>
Replace
<kms-key-id>Remediation Steps:
Follow these steps to remediate the non-compliant SNS topics and ensure that they are encrypted at rest:
- 1.
Identify the SNS Topics: Identify the SNS topics that need to be encrypted at rest according to the NIST 800-53 Revision 5 policy.
- 2.
Enable Encryption: Use the AWS Management Console, AWS CLI, or AWS CloudFormation to enable encryption for each identified SNS topic.
If using AWS Management Console:
- Open the Amazon SNS console.
- Select the desired SNS topic.
- Go to the "Encryption" section.
- Enable encryption and select the appropriate KMS key.
- Save the changes.
If using AWS CLI:
- Run the
command provided earlier, replacingaws sns set-topic-attributes
and<topic-arn>
with the correct ARNs.<kms-key-id>
If using AWS CloudFormation:
- Create or modify the CloudFormation template as shown in the provided example.
- 3.
Verify Encryption: Validate that the encryption is enabled for each SNS topic.
If using AWS Management Console:
- Open the Amazon SNS console.
- Select the SNS topic.
- Verify that encryption is enabled.
If using AWS CLI:
- Run the
command with the appropriate topic ARN.aws sns get-topic-attributes - Check the response to ensure that encryption is indicated as enabled.
- 4.
Test Notifications: After enabling encryption at rest, test the SNS topic to ensure that notifications are still functioning as expected. This will help verify that the encryption implementation did not impact the basic functionality.
By following these steps, you can ensure that SNS topics are encrypted at rest, meeting the NIST 800-53 Revision 5 compliance requirements.