Remediation

How to encrypt Amazon SNS topic data with your own KMS CMK?

Using AWS Console

  • Step 1: In the left navigation panel, click Encryption Keys. Select the appropriate AWS region from the Filter menu. (must match the region where your AWS SNS topic was created).
  • Step 2: Click Create Key button from the dashboard top menu to initiate the setup process.
  • Step 3: In the Alias (required) and Description fields, enter a unique name (alias) and a description for your new KMS CMK, then click the Next Step button.
  • Step 4: Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.
  • Step 5: Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt the SNS topic data with the AWS KMS API.
  • Step 6: (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt and decrypt your SNS data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.
  • Step 7: Click Next Step to continue the process.
  • Step 8: Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new Customer Master Key (CMK). Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: the CMK display name”.
  • Step 9: Now that the CMK has been created, navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.
  • Step 10: In the left navigation panel, choose Topics. Select the AWS SNS topic that you want to reconfigure (see Audit section part I to identify the right SNS resource).
  • Step 11: Click the Actions button from the dashboard top menu and select Edit topic encryption configuration option.
  • Step 12: Inside Edit topic encryption configuration dialog box, select the AWS KMS Customer Master Key created earlier from the KMS customer master key dropdown list. Once the right key is selected, click Enable Server-Side Encryption button to apply the configuration changes.