Encryption at rest - Amazon Simple Notification Service

Encryption at rest

Server-side encryption (SSE) lets you store sensitive data in encrypted topics by protecting the contents of messages in Amazon SNS topics using keys managed in AWS Key Management Service (AWS KMS).

SSE encrypts messages as soon as Amazon SNS receives them. The messages are stored in encrypted form, and only decrypted when they are sent.


All requests to topics with SSE enabled must use HTTPS and Signature Version 4.

For information about compatibility of other services with encrypted topics, see your service documentation.

Amazon SNS only supports symmetric encryption KMS keys. You cannot use any other type of KMS key to encrypt your service resources. For help determining whether a KMS key is a symmetric encryption key, see Identifying asymmetric KMS keys.

AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. When you use Amazon SNS with AWS KMS, the data keys that encrypt your message data are also encrypted and stored with the data they protect.

The following are benefits of using AWS KMS:

  • You can create and manage the AWS KMS key yourself.

  • You can also use AWS-managed KMS keys for Amazon SNS, which are unique for each account and region.

  • The AWS KMS security standards can help you meet encryption-related compliance requirements.

For more information, see What is AWS Key Management Service? in the AWS Key Management Service Developer Guide.

Encryption scope

SSE encrypts the body of a message in an Amazon SNS topic.

SSE doesn't encrypt the following:

  • Topic metadata (topic name and attributes)

  • Message metadata (subject, message ID, timestamp, and attributes)

  • Data protection policy

  • Per-topic metrics

  • A message is encrypted only if it is sent after the encryption of a topic is enabled. Amazon SNS doesn't encrypt backlogged messages.

  • Any encrypted message remains encrypted even if the encryption of its topic is disabled.

Key terms

The following key terms can help you better understand the functionality of SSE. For detailed descriptions, see the Amazon Simple Notification Service API Reference.

Data key

The data encryption key (DEK) responsible for encrypting the contents of Amazon SNS messages.

For more information, see Data Keys in the AWS Key Management Service Developer Guide and Envelope Encryption in the AWS Encryption SDK Developer Guide.


The alias, alias ARN, key ID, or key ARN of an AWS KMS key, or a custom AWS KMS—in your account or in another account. While the alias of the AWS managed AWS KMS for Amazon SNS is always alias/aws/sns, the alias of a custom AWS KMS can, for example, be alias/MyAlias. You can use these AWS KMS keys to protect the messages in Amazon SNS topics.


Keep the following in mind:

  • The first time you use the AWS Management Console to specify the AWS managed KMS for Amazon SNS for a topic, AWS KMS creates the AWS managed KMS for Amazon SNS.

  • Alternatively, the first time you use the Publish action on a topic with SSE enabled, AWS KMS creates the AWS managed KMS for Amazon SNS.

You can create AWS KMS keys, define the policies that control how AWS KMS keys can be used, and audit AWS KMS usage using the AWS KMS keys section of the AWS KMS console or the CreateKey AWS KMS action. For more information, see AWS KMS keys and Creating Keys in the AWS Key Management Service Developer Guide. For more examples of AWS KMS identifiers, see KeyId in the AWS Key Management Service API Reference. For information about finding AWS KMS identifiers, see Find the Key ID and ARN in the AWS Key Management Service Developer Guide.


There are additional charges for using AWS KMS. For more information, see Estimating AWS KMS costs and AWS Key Management Service Pricing.