Control: 1 SNS topics should be encrypted at rest using AWS KMS
Description
This control checks whether an SNS topic is encrypted at rest using AWS KMS.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data. For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security. For more information, see Encryption at rest in the Amazon Simple Notification Service Developer Guide
.
Remediation
To remediate this issue, update your SNS topic to enable encryption.
To encrypt an unencrypted SNS topic
- Open the Amazon SNS console.
- In the navigation pane, choose
Topics
. - Choose the name of the topic to encrypt.
- Choose
Edit
. - Under
Encryption
, chooseEnable Encryption
. - Choose the
KMS key
to use to encrypt the topic. - Choose
Save
changes.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_sns_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_sns_1 --share
SQL
This control uses a named query:
sns_topic_encrypted_at_rest