Skip to main content

More Info:

Server-Side Encryption (SSE) must be enabled for the SNS topics. This ensures protection of sensitive data delivered as messages to subscribers.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, GDPR, NIST, HITRUST

Triage and Remediation

  • Remediation

Remediation

Using Console

Sure, I can provide you with the steps to remediate the misconfiguration of unencrypted SNS topics in AWS. Here are the steps to remediate this issue:
  1. Log in to your AWS console.
  2. Go to the SNS service.
  3. Select the SNS topic that you want to encrypt.
  4. In the topic details page, click on the “Edit” button.
  5. Scroll down to the “Encryption” section.
  6. Select the “Enable encryption” option.
  7. Choose the KMS key that you want to use for encryption. If you don’t have a KMS key, you can create one by clicking on the “Create a new KMS key” button.
  8. Click on the “Update” button to save the changes.
  9. Verify that the SNS topic is now encrypted by checking the “Encryption” section in the topic details page.
By following these steps, you can remediate the misconfiguration of unencrypted SNS topics in AWS.

To remediate the SNS Topics should be encrypted misconfiguration for AWS using AWS CLI, follow the steps below:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to list all the SNS topics in your AWS account: 
    aws sns list-topics
  3. Identify the SNS topic that needs to be encrypted.
  4. Run the following command to enable server-side encryption for the identified SNS topic: 
    aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name KmsMasterKeyId --attribute-value <kms-key-id>
    Replace <topic-arn> with the ARN of the SNS topic and <kms-key-id> with the ID of the KMS key that you want to use for encryption.
  5. Verify that the encryption is enabled for the SNS topic by running the following command: 
    aws sns get-topic-attributes --topic-arn <topic-arn>
    This command should return the attributes of the SNS topic, including the KmsMasterKeyId attribute with the value set to the KMS key ID that you specified.
  6. Repeat the above steps for any other SNS topics that need to be encrypted.
  7. Once you have confirmed that all SNS topics are encrypted, you can close the AWS CLI.
By following the above steps, you can remediate the SNS Topics should be encrypted misconfiguration for AWS using AWS CLI.
To remediate the misconfiguration of SNS topics not being encrypted in AWS using Python, follow these steps:
  1. Open the AWS Management Console and navigate to the SNS service.
  2. Identify the SNS topic that needs to be encrypted.
  3. In the topic settings, click on the “Encryption” tab.
  4. Select the “Enable encryption” option.
  5. Choose the KMS key that you want to use for encryption.
  6. Click on the “Update” button to save the changes.
  7. To ensure that all future SNS topics are encrypted by default, you can set up a CloudFormation stack with the following code: 
Resources:
  SNSDefaultEncryption:
    Type: "AWS::SNS::Topic"
    Properties:
      KmsMasterKeyId: <your_kms_key_id>
      DisplayName: "Default Encrypted Topic"
      TopicName: "default-encrypted-topic"
      Subscription:
        - Protocol: "email"
          Endpoint: "your-email@example.com"
  1. Deploy the CloudFormation stack to your AWS account.
  2. Verify that the SNS topic is now encrypted by checking the “Encryption” tab in the topic settings.
By following these steps, you can remediate the misconfiguration of SNS topics not being encrypted in AWS using Python.

Additional Reading:

I