Encryption at rest - Amazon Simple Notification Service

Encryption at rest

Server-side encryption (SSE) lets you store sensitive data in encrypted topics. SSE protects the contents of messages in Amazon SNS topics using keys managed in AWS Key Management Service (AWS KMS).

For information about managing SSE using the AWS Management Console or the AWS SDK for Java (by setting the KmsMasterKeyId attribute using the CreateTopic and SetTopicAttributes API actions), see Enabling server-side encryption (SSE) for an Amazon SNS topic. For information about creating encrypted topics using AWS CloudFormation (by setting the KmsMasterKeyId property using the AWS::SNS::Topic resource), see the AWS CloudFormation User Guide.

SSE encrypts messages as soon as Amazon SNS receives them. The messages are stored in encrypted form and Amazon SNS decrypts messages only when they are sent.


All requests to topics with SSE enabled must use HTTPS and Signature Version 4.

For information about compatibility of other services with encrypted topics, see your service documentation.

AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. When you use Amazon SNS with AWS KMS, the data keys that encrypt your message data are also encrypted and stored with the data they protect.

The following are benefits of using AWS KMS:

  • You can create and manage customer master keys (CMKs) yourself.

  • You can also use AWS-managed KMS keys for Amazon SNS, which are unique for each account and region.

  • The AWS KMS security standards can help you meet encryption-related compliance requirements.

For more information, see What is AWS Key Management Service? in the AWS Key Management Service Developer Guide.

Encryption scope

SSE encrypts the body of a message in an Amazon SNS topic.

SSE doesn't encrypt the following:

  • Topic metadata (topic name and attributes)

  • Message metadata (subject, message ID, timestamp, and attributes)

  • Per-topic metrics

  • A message is encrypted only if it is sent after the encryption of a topic is enabled. Amazon SNS doesn't encrypt backlogged messages.

  • Any encrypted message remains encrypted even if the encryption of its topic is disabled.

Key terms

The following key terms can help you better understand the functionality of SSE. For detailed descriptions, see the Amazon Simple Notification Service API Reference.

Data key

The data encryption key (DEK) responsible for encrypting the contents of Amazon SNS messages.

For more information, see Data Keys in the AWS Key Management Service Developer Guide and Envelope Encryption in the AWS Encryption SDK Developer Guide.

Customer master key ID

The alias, alias ARN, key ID, or key ARN of an AWS managed customer master key (CMK) or a custom CMK—in your account or in another account. While the alias of the AWS managed CMK for Amazon SNS is always alias/aws/sns, the alias of a custom CMK can, for example, be alias/MyAlias. You can use these CMKs to protect the messages in Amazon SNS topics.


Keep the following in mind:

  • The first time you use the AWS Management Console to specify the AWS managed CMK for Amazon SNS for a topic, AWS KMS creates the AWS managed CMK for Amazon SNS.

  • Alternatively, the first time you use the Publish action on a topic with SSE enabled, AWS KMS creates the AWS managed CMK for Amazon SNS.

You can create CMKs, define the policies that control how CMKs can be used, and audit CMK usage using the Customer managed keys section of the AWS KMS console or the CreateKey AWS KMS action. For more information, see Customer Master Keys (CMKs) and Creating Keys in the AWS Key Management Service Developer Guide. For more examples of CMK identifiers, see KeyId in the AWS Key Management Service API Reference. For information about finding CMK identifiers, see Find the Key ID and ARN in the AWS Key Management Service Developer Guide.


There are additional charges for using AWS KMS. For more information, see Estimating AWS KMS costs and AWS Key Management Service Pricing.