Rule: SNS topics should be encrypted at rest
Ensure encryption at rest for SNS topics to protect data privacy and security.
| Rule | SNS topics should be encrypted at rest |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule/Policy Description:
According to CISA Cyber Essentials, all SNS (Simple Notification Service) topics should be encrypted at rest. Encrypting SNS topics provides an additional layer of security to protect sensitive data and ensure its confidentiality.
Troubleshooting Steps (if applicable):
- 1.
Verify Encryption: Check whether encryption is enabled for the SNS topics. If not, proceed with the following steps.
- 2.
Check Permissions: Ensure that the necessary permissions are granted to enable encryption for SNS topics. The user or role should have the
andsns:ListTopics
IAM (Identity and Access Management) permissions.sns:Encrypt - 3.
Update Encryption Policy: Modify the SNS topic policy to include encryption at rest. The policy should allow encryption using AWS Key Management Service (KMS) or other approved encryption mechanisms.
- 4.
Test Topic Encryption: Create a test SNS topic and verify that encryption at rest is functioning as expected. Publish and subscribe to messages on the topic and ensure everything works correctly.
- 5.
Monitor Encryption Status: Implement monitoring mechanisms to track the encryption status of SNS topics. Regularly check for any potential issues or anomalies.
Necessary Codes (if applicable):
Here is an example of a code snippet to enable encryption for an SNS topic using the AWS CLI:
aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name KmsMasterKeyArn --attribute-value <kms-key-arn>
Step-by-Step Guide for Remediation:
- 1.
Identify SNS Topics: Identify all the SNS topics in your AWS account that need to be encrypted at rest.
- 2.
Check Encryption Status: For each SNS topic, perform a check to determine whether encryption is already enabled.
- 3.
Enable Encryption: For topics without encryption, modify the topic's attributes using the AWS CLI or AWS Management Console. Use the code snippet mentioned above as a reference, replacing
with the appropriate ARN (Amazon Resource Name) and<topic-arn>
with the ARN of an approved KMS key.<kms-key-arn> - 4.
Validation: Publish a test message to the encrypted SNS topic and verify that it successfully encrypts and delivers the message to the intended subscribers.
- 5.
Implement Monitoring: Set up alerts or use AWS CloudWatch to monitor the encryption status of SNS topics. This will help you quickly identify any non-compliance or security vulnerabilities.
- 6.
Documentation: Keep track of all the SNS topics that have been encrypted at rest, along with their corresponding encryption mechanisms. Document the process for future reference and compliance audits.
By following these steps, you can ensure that your SNS topics are encrypted at rest, aligning with CISA Cyber Essentials guidelines and enhancing the security of your AWS infrastructure.