Setting up Amazon SNS topic encryption with server-side encryption

With server-side encryption (SSE), you can store sensitive data in encrypted topics. SSE protects the contents of messages in Amazon SNS topics using keys that are managed in AWS Key Management Service (AWS KMS). For more information about server-side encryption with Amazon SNS, see Securing Amazon SNS data with server-side encryption. For more about create AWS KMS keys, see Creating keys in the AWS Key Management Service Developer Guide.

Important

All requests to topics with SSE enabled must use HTTPS and Signature Version 4.

Enable server-side encryption (SSE) for an Amazon SNS topic using the AWS Management Console

1. Sign in to the Amazon SNS console.

2. On the navigation panel, choose Topics.

3. On the Topics page, choose a topic and choose Actions, Edit.

4. Expand the Encryption section and do the following:

   1. Choose Enable encryption.

   2. Specify the AWS KMS key. For more information, see Key terms.

      For each KMS type, the Description, Account, and KMS ARN are displayed.

      Important

      If you aren't the owner of the KMS, or if you log in with an account that doesn't have the kms:ListAliases and kms:DescribeKey permissions, you won't be able to view information about the KMS on the Amazon SNS console.

      Ask the owner of the KMS to grant you these permissions. For more information, see the AWS KMS API Permissions: Actions and Resources Reference in the AWS Key Management Service Developer Guide.

      • The AWS managed KMS for Amazon SNS (Default) alias/aws/sns is selected by default.

        Note

        Keep the following in mind:

        • The first time you use the AWS Management Console to specify the AWS managed KMS for Amazon SNS for a topic, AWS KMS creates the AWS managed KMS for Amazon SNS.

        • Alternatively, the first time you use the Publish action on a topic with SSE enabled, AWS KMS creates the AWS managed KMS for Amazon SNS.

      • To use a custom KMS from your AWS account, choose the KMS key field and then choose the custom KMS from the list.

        Note

        For instructions on creating custom KMSs, see Creating Keys in the AWS Key Management Service Developer Guide

      • To use a custom KMS ARN from your AWS account or from another AWS account, enter it into the KMS key field.

5. Choose Save changes.

   SSE is enabled for your topic and the MyTopic page is displayed.

   The topic's Encryption status, AWS Account, Customer master key (CMK), CMK ARN, and Description are displayed on the Encryption tab.

Set up an Amazon SNS topic with server-side encryption

When creating your KMS key, use the following KMS key policy:

{ 
    "Effect": "Allow", 
    "Principal": { 
        "Service": "service.amazonaws.com" 
     },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*",
    "Condition": {
        "ArnLike": { 
            "aws:SourceArn": "arn:aws:service:region:customer-account-id:resource-type/customer-resource-id" 
        },
        "StringEquals": { 
            "kms:EncryptionContext:aws:sns:topicArn": "arn:aws:sns:your_region:customer-account-id:your_sns_topic_name" 
        }
    }
}

Impact on consumers

When SSE is enabled for an Amazon SNS topic, the process of consuming messages remains unchanged for the subscribers. AWS manages the encryption and decryption process using KMS. Therefore, subscribers do not need to make any changes to their existing setup to handle encrypted messages. AWS ensures that messages are encrypted at rest and automatically decrypted before delivery to the subscribers. This means that subscribers will continue to receive and process messages as they did before encryption was enabled, without requiring any additional configuration or decryption logic. Additionally, AWS recommends using HTTPS to ensure secure transmission of messages.