turbot/aws_compliance

Control: 1 SNS topics should be encrypted at rest using AWS KMS

Description

This control checks whether an SNS topic is encrypted at rest using AWS KMS.

Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. It also adds another set of access controls to limit the ability of unauthorized users to access the data. For example, API permissions are required to decrypt the data before it can be read. SNS topics should be encrypted at-rest for an added layer of security. For more information, see Encryption at rest in the Amazon Simple Notification Service Developer Guide.

Remediation

To remediate this issue, update your SNS topic to enable encryption.

To encrypt an unencrypted SNS topic

  1. Open the Amazon SNS console.
  2. In the navigation pane, choose Topics.
  3. Choose the name of the topic to encrypt.
  4. Choose Edit.
  5. Under Encryption, choose Enable Encryption.
  6. Choose the KMS key to use to encrypt the topic.
  7. Choose Save changes.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_sns_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_sns_1 --share

SQL

This control uses a named query:

sns_topic_encrypted_at_rest

Tags