Amazon Simple Notification Service (SNS) is a managed messaging service for application-to-application (A2A) and application-to-person (A2P) communication. SNS topics allows publisher systems to fanout messages to a large number of subscriber systems. Amazon SNS allows to encrypt messages when they are received. In the case that adversaries gain physical access to the storage medium or otherwise leak a message they are not able to access the data.

Ask Yourself Whether

• The topic contains sensitive data that could cause harm when leaked.
• There are compliance requirements for the service to store data encrypted.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to encrypt SNS topics that contain sensitive information. Encryption and decryption are handled transparently by SNS, so no further modifications to the application are necessary.

Sensitive Code Example

For AWS::SNS::Topic:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Topic:  # Sensitive, encryption disabled by default
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: "unencrypted_topic"

Compliant Solution

For AWS::SNS::Topic:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Topic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: "encrypted_topic"
      KmsMasterKeyId:
        Fn::GetAtt:
          - TestKey
          - KeyId

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2021 Category A4 - Insecure Design
• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• AWS Documentation - Encryption at rest
• Encrypting messages published to Amazon SNS with AWS KMS
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• MITRE, CWE-311 - Missing Encryption of Sensitive Data