AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
SNS Topics Should Be Encrypted Using KMS CMKs
More Info:
SNS Topics should be encrypted with Customer managed keys (CMK) instead of AWS managed keys in order to have a more granular control over the SNS data-at-rest encryption and decryption process.
Risk Level
Medium
Address
Security
Compliance Standards
HIPAA, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration in AWS:
- Log in to your AWS Management Console.
- Navigate to the Amazon SNS console.
- Click on the SNS topic that you want to remediate.
- Click on the “Encryption” tab.
- Select “Enable encryption” option.
- Select the KMS key that you want to use to encrypt the topic.
- Click on “Update” to save the changes.
After following these steps, your SNS topic will be encrypted using the KMS CMKs.
To remediate this misconfiguration in AWS, you can follow these steps using AWS CLI:
- Identify the SNS topics that are not encrypted using KMS CMKs by running the following command:
aws sns list-topics --query "Topics[?KmsMasterKeyId == null].TopicArn" --output text
-
For each topic identified in step 1, create a new KMS CMK or use an existing one.
-
Enable server-side encryption for the SNS topic by updating its properties with the following command:
aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name KmsMasterKeyId --attribute-value <kms-key-id>
Replace <topic-arn> with the ARN of the SNS topic and <kms-key-id> with the ARN of the KMS CMK created in step 2.
- Verify that the SNS topic is now encrypted using KMS CMKs by running the following command:
aws sns list-topics --query "Topics[?KmsMasterKeyId != null].TopicArn" --output text
This command should return the ARN of the SNS topic that was just updated.
- Repeat steps 3-4 for all the SNS topics that were identified in step 1.
By following these steps, you can remediate the misconfiguration of SNS topics not being encrypted using KMS CMKs in AWS.
To remediate the misconfiguration of SNS Topics not being encrypted using KMS CMKs in AWS using Python, you can follow these steps:
-
First, you need to identify the SNS topic(s) that are not encrypted using KMS CMKs. You can use the AWS CLI or Boto3 library in Python to list all the SNS topics and their encryption status.
import boto3 # Create an SNS client sns = boto3.client('sns') # List all SNS topics response = sns.list_topics() # Check encryption status for each topic for topic_arn in response['Topics']: topic_attributes = sns.get_topic_attributes(TopicArn=topic_arn['TopicArn']) if 'KmsMasterKeyId' not in topic_attributes['Attributes']: print(f"SNS topic {topic_arn['TopicArn']} is not encrypted using KMS CMKs") -
Once you have identified the SNS topic(s) that are not encrypted using KMS CMKs, you can update their encryption settings using the
set_topic_attributes()method in Boto3.import boto3 # Create an SNS client sns = boto3.client('sns') # Update encryption settings for a specific topic topic_arn = 'arn:aws:sns:us-east-1:123456789012:my-topic' response = sns.set_topic_attributes( TopicArn=topic_arn, AttributeName='KmsMasterKeyId', AttributeValue='arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-1234567890ab' ) print(f"Encryption settings updated for SNS topic {topic_arn}")Note: Replace the
topic_arnandAttributeValuewith the appropriate values for your AWS account. -
Finally, you can verify that the SNS topic(s) are now encrypted using KMS CMKs by running the first code snippet again and checking the encryption status for each topic.
import boto3 # Create an SNS client sns = boto3.client('sns') # List all SNS topics response = sns.list_topics() # Check encryption status for each topic for topic_arn in response['Topics']: topic_attributes = sns.get_topic_attributes(TopicArn=topic_arn['TopicArn']) if 'KmsMasterKeyId' not in topic_attributes['Attributes']: print(f"SNS topic {topic_arn['TopicArn']} is not encrypted using KMS CMKs") else: print(f"SNS topic {topic_arn['TopicArn']} is encrypted using KMS CMKs")This should return a list of all SNS topics and their encryption status.