Amazon Simple Notification Service
Developer Guide

Tutorial: Enabling Server-Side Encryption (SSE) for an Amazon SNS Topic

You can enable server-side encryption (SSE) for a topic to protect its data. For more information about using SSE, see Protecting Amazon SNS Data Using Server-Side Encryption (SSE) and AWS KMS.

Important

All requests to topics with SSE enabled must use HTTPS and Signature Version 4.

The following tutorial shows how to enable, disable, and configure SSE for an existing Amazon SNS topic using the AWS Management Console and the AWS SDK for Java (by setting the KmsMasterKeyId attribute using the CreateTopic and SetTopicAttributes API actions).

To Enable Server-Side Encryption (SSE) for an Amazon SNS Topic Using the AWS Management Console

  1. Sign in to the Amazon SNS console.

  2. On the navigation panel, choose Topics.

  3. On the Topics page, choose a topic and choose Actions, Edit.

  4. Expand the Encryption section and do the following:

    1. Choose Enable encryption.

    2. Specify the customer master key (CMK). For more information, see Key Terms.

      For each CMK type, the Description, Account, and CMK ARN are displayed.

      Important

      If you aren't the owner of the CMK, or if you log in with an account that doesn't have the kms:ListAliases and kms:DescribeKey permissions, you won't be able to view information about the CMK on the Amazon SNS console.

      Ask the owner of the CMK to grant you these permissions. For more information, see the AWS KMS API Permissions: Actions and Resources Reference in the AWS Key Management Service Developer Guide.

      • The AWS managed CMK for Amazon SNS (Default) alias/aws/sns is selected by default.

        Note

        Keep the following in mind:

        • The first time you use the AWS Management Console to specify the AWS managed CMK for Amazon SNS for a topic, AWS KMS creates the AWS managed CMK for Amazon SNS.

        • Alternatively, the first time you use the Publish action on a topic with SSE enabled, AWS KMS creates the AWS managed CMK for Amazon SNS.

      • To use a custom CMK from your AWS account, choose the Customer master key (CMK) field and then choose the custom CMK from the list.

        Note

        For instructions on creating custom CMKs, see Creating Keys in the AWS Key Management Service Developer Guide

      • To use a custom CMK ARN from your AWS account or from another AWS account, enter it into the Customer master key (CMK) field.

  5. Choose Save changes.

    SSE is enabled for your topic and the MyTopic page is displayed.

    The topic's Encryption status, AWS Account, Customer master key (CMK), CMK ARN, and Description are displayed on the Encryption tab.

To Enable Server-Side Encryption (SSE) for an Amazon SNS Topic Using the AWS SDK for Java

  1. Configure AWS KMS key policies to allow encryption of topics and encryption and decryption of messages. For more information, see Configuring AWS KMS Permissions

  2. Specify your AWS credentials. For more information, see Set up AWS Credentials and Region for Development in the AWS SDK for Java 2.x Developer Guide.

  3. Obtain the customer master key (CMK) ID. For more information, see Key Terms.

    Note

    Keep the following in mind:

    • The first time you use the AWS Management Console to specify the AWS managed CMK for Amazon SNS for a topic, AWS KMS creates the AWS managed CMK for Amazon SNS.

    • Alternatively, the first time you use the Publish action on a topic with SSE enabled, AWS KMS creates the AWS managed CMK for Amazon SNS.

  4. Write your code. For more information, see Using the SDK for Java 2.x.

    To enable server-side encryption, specify the CMK ID by setting the KmsMasterKeyId attribute using the CreateTopic or SetTopicAttributes action.

    The following code excerpt enables SSE for an existing topic using the AWS managed CMK for Amazon SNS:

    // Enable server-side encryption by specifying the alias ARN of the AWS managed CMK for Amazon SNS. final String kmsMasterKeyAlias = "arn:aws:kms:us-east-2:123456789012:alias/aws/sns"; final SetTopicAttributesRequest setAttributesRequest = new SetTopicAttributesRequest() .withTopicArn(topicArn) .withAttributeName("KmsMasterKeyId") .withAttributeValue(kmsMasterKeyAlias); final SetTopicAttributesResponse setAttributesResponse = snsClient.setTopicAttributes(setAttributesRequest)

    To disable server-side encryption for an existing topic, set the KmsMasterKeyId attribute to an empty string using the SetTopicAttributes action.

    Important

    null isn't a valid value for KmsMasterKeyId.

    The following code excerpt creates a new topic with SSE using a custom CMK:

    final Map<String, String> attributes = new HashMap<String, String>(); // Enable server-side encryption by specifying the alias ARN of the custom CMK. final String kmsMasterKeyAlias = "arn:aws:kms:us-east-2:123456789012:alias/MyAlias"; attributes.put("KmsMasterKeyId", kmsMasterKeyAlias); final CreateTopicRequest createRequest = new CreateTopicRequest("MyTopic") .withAttributes(attributes); final CreateTopicRespone createResponse = snsClient.createTopic(createRequest);