[SNS.1]
SNS topics should be encrypted at rest using AWS KMS
Description
All SNS topics must be encrypted at rest using AWS Key Management Service. By encrypting data, you minimize the risk of data being accessed by an unauthorized entity. This rule is COMPLIANT when SNS topics are encrypted at rest.
Details
| Property | Value |
|---|---|
| Category | Protect > Data protection > Encryption of data at rest |
| Compliance Control ID | SNS.1 |
| FortifyFox ID | FF100020 |
| Link | SNS.1 Compliance |
| Resource Type(s) | AWS::SNS::Topic AWS::KMS::Key |
| Severity | Medium |
| Parameters | KmsMasterKeyId |
| Value | String (ID of an AWS KMS key) |
Remediation
Use the following CloudFormation templates to deploy an SNS topic compliant with SNS.1
YAML Template
Resources:
kmsKey:
Type: 'AWS::KMS::Key'
Properties:
Enabled: true
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Enable IAM User Permissions"
Effect: "Allow"
Principal:
AWS:
Fn::Join:
- ""
-
- "arn:aws:iam::"
- Ref: "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
snsTopic:
Type: AWS::SNS::Topic
Properties:
KmsMasterKeyId: !Ref kmsKey
JSON Template
{
"Resources": {
"kmsKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": true,
"KeyPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"snsTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"KmsMasterKeyId": {
"Ref": "kmsKey"
}
}
}
}
}
📓 Notes
- If you already have a KMS key, you can skip the kmsKey resource and replace kmsKey with the ID of your key.