Message data protection - Amazon Simple Notification Service

Message data protection

What is message data protection?

Message data protection safeguards the data that's published to your Amazon SNS topics by using data protection policies to audit, mask, redact or block the sensitive information that moves between applications or AWS services.

Message data protection scans data in motion for personally identifiable information (PII) and protected health information (PHI) using predefined data identifiers (for example, names, addresses, credit card numbers, and prescription drug codes). Using the scanned information, message data protection provides detailed audit logs, and allows you to take action to protect that data.

Message data protection supports the following actions to help protect sensitive customer information:

  • Audit – Audit up to 99% of the data that's published to an Amazon SNS topic. You can then choose to send the findings to Amazon CloudWatch, Amazon S3, or Amazon Kinesis Data Firehose.

  • De-identify – Mask or redact sensitive data without interrupting message publishing.

  • Deny – Block the transmission of data between applications and AWS resources if sensitive data is present within the payload.

Why should I use message data protection?

By introducing message data protection into your governance, risk management, and compliance programs, you can implement data protection policies that help you to identify and prevent data leakage. This provides your teams with tools that can help to reduce financial, legal, and regulatory risks by complying with privacy regulations such as HIPAA, GDPR, PCI, and FedRAMP. It also frees your developers from the operational overhead that's associated with building and managing your own tools to protect sensitive data.

For example, you can use message data protection to create an audit policy to determine whether any of your systems are inadvertently sending or receiving sensitive data. If your audit results show that systems are sending credit card information to systems that don’t require it, you can use a block policy to prevent the delivery of the data.

Note

Amazon SNS supports message data protection for Amazon SNS standard topics only.

Message data protection does not support the Amazon SNS PublishBatch API for inbound messages during preview. Message delivery for PublishBatch API is still protected.