Rule: SNS topics should be encrypted at rest
Ensure that SNS topics are encrypted at rest to enhance data security.
| Rule | SNS topics should be encrypted at rest |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule Description:
The rule states that SNS (Simple Notification Service) topics should be encrypted at rest in order to comply with the NIST Cybersecurity Framework (CSF) v1. This ensures that the sensitive data contained within SNS topics remains protected even when stored in a persistent state.
Troubleshooting Steps:
If the SNS topics are not encrypted at rest, it may indicate a misconfiguration in the AWS environment. To troubleshoot and resolve this issue, follow the steps below:
- 1.
Verify Encryption Settings: Check the encryption settings for the SNS topic to ensure that encryption at rest is enabled. If it is not, proceed to enable it.
- 2.
Update Topic Encryption: If encryption at rest is not already enabled for the SNS topic, update the topic's encryption settings to enable it. This can be done through the AWS Management Console or by using the AWS CLI.
- 3.
Validate Encryption Configuration: After enabling encryption at rest for the SNS topic, validate the configuration to ensure that encryption is functioning correctly. Test the process of publishing and subscribing to the topic to confirm that messages are encrypted and decrypted properly.
- 4.
Check Access Permissions: Ensure that the appropriate access permissions are set for the SNS topic. Only authorized users or roles should have access to the topic to maintain data confidentiality.
Necessary Codes:
If encryption at rest is not enabled for the SNS topic, you can use the following AWS CLI command to enable encryption:
aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name KmsMasterKeyId --attribute-value <kms-key-id>
Replace
<topic-arn><kms-key-id>Step-by-Step Remediation Guide:
Follow the steps below to enable encryption at rest for SNS topics that are not already encrypted:
- 1.
Login to the AWS Management Console.
- 2.
Go to the AWS SNS service console.
- 3.
Select the SNS topic that you want to enable encryption for.
- 4.
Click on the "Edit topic attributes" button.
- 5.
In the "Attributes" section, find the "KmsMasterKeyId" attribute.
- 6.
If the attribute is not present or is empty, click on the "Add another attribute" button.
- 7.
Enter "KmsMasterKeyId" as the attribute name and provide the ARN of the AWS Key Management Service (KMS) customer master key (CMK) you want to use for encryption.
- 8.
Click on the "Save changes" button to enable encryption at rest for the SNS topic.
- 9.
Validate the encryption configuration by publishing and subscribing to the topic. Ensure that messages are encrypted and decrypted properly.
By following these steps, you can ensure that SNS topics are encrypted at rest to comply with the NIST Cybersecurity Framework (CSF) v1.