Amazon Simple Notification Service controls - AWS Security Hub

Amazon Simple Notification Service controls

These controls are related to Amazon SNS resources.

These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.

[SNS.1] SNS topics should be encrypted at-rest using AWS KMS

Important

Security Hub retired this control in April 2024 from the AWS Foundational Security Best Practices standard, but it is still included in the NIST SP 800-53 Rev. 5 standard. For more information, see Change log for Security Hub controls.

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)

Category: Protect > Data protection > Encryption of data at rest

Severity: Medium

Resource type: AWS::SNS::Topic

AWS Config rule: sns-encrypted-kms

Schedule type: Change triggered

Parameters: None

This control checks whether an Amazon SNS topic is encrypted at rest using keys managed in AWS Key Management Service (AWS KMS). The controls fails if the SNS topic doesn't use a KMS key for server-side encryption (SSE). By default, SNS stores messages and files using disk encryption. To pass this control, you must choose to use a KMS key for encryption instead. This adds an additional layer of security and provides more access control flexibility.

Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. API permissions are required to decrypt the data before it can be read. We recommend encrypting SNS topics with KMS keys for an added layer of security.

Remediation

To enable SSE for an SNS topic, see Enabling server-side encryption (SSE) for an Amazon SNS topic in the Amazon Simple Notification Service Developer Guide. Before you can use SSE, you must also configure AWS KMS key policies to allow encryption of topics and encryption and decryption of messages. For more information, see Configuring AWS KMS permissions in the Amazon Simple Notification Service Developer Guide.

[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic

Important

Security Hub retired this control in April 2024. For more information, see Change log for Security Hub controls.

Related requirements: NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2

Category: Identify > Logging

Severity: Medium

Resource type: AWS::SNS::Topic

AWS Config rule: sns-topic-message-delivery-notification-enabled

Schedule type: Change triggered

Parameters: None

This control checks whether logging is enabled for the delivery status of notification messages sent to an Amazon SNS topic for the endpoints. This control fails if the delivery status notification for messages is not enabled.

Logging is an important part of maintaining the reliability, availability, and performance of services. Logging message delivery status helps provide operational insights, such as the following:

  • Knowing whether a message was delivered to the Amazon SNS endpoint.

  • Identifying the response sent from the Amazon SNS endpoint to Amazon SNS.

  • Determining the message dwell time (the time between the publish timestamp and the hand off to an Amazon SNS endpoint).

Remediation

To configure delivery status logging for a topic, see Amazon SNS message delivery status in the Amazon Simple Notification Service Developer Guide.