Amazon Simple Notification Service
Developer Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Tutorial: Enabling Server-Side Encryption (SSE) for an Amazon SNS Topic with an Encrypted Amazon SQS Queue Subscribed

You can enable server-side encryption (SSE) for a topic to protect its data. To allow Amazon SNS to send messages to encrypted Amazon SQS queues, the customer master key (CMK) associated with the Amazon SQS queue must have a policy statement that grants Amazon SNS service-principal access to the AWS KMS API actions GenerateDataKey and Decrypt. Because AWS managed CMKs don't support policy modifications, you must use a custom CMK. For more information about using SSE, see Protecting Amazon SNS Data Using Server-Side Encryption (SSE) and AWS KMS.

The following tutorial shows how you can enable SSE for an Amazon SNS topic to which an encrypted Amazon SQS queue is subscribed, using the AWS Management Console.

Step 1: To Create a Custom CMK

  1. Sign in to the AWS KMS console with a user that has at least the AWSKeyManagementServicePowerUser policy.

  2. Choose Create a key.

  3. On the Add alias and description page, enter an Alias for your key (for example, MyCustomCMK) and then choose Next.

  4. On the Add tags page, choose Next.

  5. On the Define key administrative permissions page, in the Key administrators section, choose an IAM role or an IAM user and then choose Next.

  6. On the Define key usage permissions page, in the This account section, choose an IAM role or an IAM user and then choose Next.

  7. On the Review and edit key policy page, add the following statement to the key policy, and then choose Finish.

    { "Sid": "Allow Amazon SNS to use this key", "Effect": "Allow", "Principal": { "Service": "" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*" }

Your new custom CMK appears in the list of keys.

Step 2: To Create an Encrypted Amazon SNS Topic

  1. Sign in to the Amazon SNS console.

  2. On the navigation panel, choose Topics.

  3. Choose Create topic.

  4. On the Create new topic page, for Name, enter a topic name (for example, MyEncryptedTopic) and then choose Create topic.

  5. Expand the Encryption section and do the following:

    1. Choose Enable server-side encryption.

    2. Specify the customer master key (CMK). For more information, see Key Terms.

      For each CMK type, the Description, Account, and CMK ARN are displayed.


      If you aren't the owner of the CMK, or if you log in with an account that doesn't have the kms:ListAliases and kms:DescribeKey permissions, you won't be able to view information about the CMK on the Amazon SNS console.

      Ask the owner of the CMK to grant you these permissions. For more information, see the AWS KMS API Permissions: Actions and Resources Reference in the AWS Key Management Service Developer Guide.

    3. For Customer master key (CMK), choose MyCustomCMK which you created earlier and then choose Enable server-side encryption.

  6. Choose Save changes.

    SSE is enabled for your topic and the MyTopic page is displayed.

    The topic's Encryption status, AWS Account, Customer master key (CMK), CMK ARN, and Description are displayed on the Encryption tab.

Your new encrypted topic appears in the list of topics.

Step 3: To Create and Subscribe Encrypted Amazon SQS Queues

  1. Sign in to the Amazon SQS console.

  2. Choose Create New Queue.

  3. On the Create New Queue page, do the following:

    1. Enter a Queue Name (for example, MyEncryptedQueue1).

    2. Choose Standard Queue, and then choose Configure Queue.

    3. Choose Use SSE.

    4. For AWS AWS KMS Customer Master Key (CMK), choose MyCustomCMK which you created earlier, and then choose Create Queue.

  4. Repeat the process to create a second queue (for example, named MyEncryptedQueue2).

    Your new encrypted queues appear in the list of queues.

  5. On the Amazon SQS console, choose MyEncryptedQueue1 and MyEncryptedQueue2 and then choose Queue Actions, Subscribe Queues to SNS Topic.

  6. In the Subscribe to a Topic dialog box, for Choose a Topic select MyEncryptedTopic, and then choose Subscribe.

    Your encrypted queues' subscriptions to your encrypted topic are displayed in the Topic Subscription Result dialog box.

  7. Choose OK.

Step 4: To Publish a Message to Your Encrypted Topic

  1. Sign in to the Amazon SNS console.

  2. On the navigation panel, choose Topics.

  3. From the list of topics, choose MyEncryptedTopic and then choose Publish message.

  4. On the Publish a message page, do the following:

    1. (Optional) In the Message details section, enter the Subject (for example, Testing message publishing).

    2. In the Message body section, enter the message body (for example, My message body is encrypted at rest.).

    3. Choose Publish message.

Your message is published to your subscribed encrypted queues.

Step 5: To Verify Message Delivery

  1. Sign in to the Amazon SQS console.

  2. From the list of queues, choose MyEncryptedQueue1 and then choose Queue Actions, View/Delete Messages.

  3. On the View/Delete Messages in MyEncryptedQueue1 page, choose Start polling for messages.

    The message that you sent earlier is displayed.

  4. Choose More Details to view your message.

  5. When you're finished, choose Close.

  6. Repeat the process for MyEncryptedQueue2.