AWS Config Rule: SNS Topic Encrypted With KMS

Description: Checks if Amazon SNS topic is encrypted with AWS Key Management Service (AWS KMS). The rule is NON_COMPLIANT if the Amazon SNS topic is not encrypted with AWS KMS. The rule is also NON_COMPLIANT when encrypted KMS key is not present in kmsKeyIds input parameter.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Middle East (UAE), Asia Pacific (Osaka), Asia Pacific (Melbourne), Israel (Tel Aviv), Europe (Spain), Europe (Zurich) Region

To resolve this manually, head to your AWS SNS Dashboard and click on Topics. Click the Topic you wish to check the encryption status for - when the details appear on the main part of the dashboard, if you navigate to the Encryption tab you will see all the encryption details.

The focus here, to ensure the rule is COMPLIANT, is to ensure that encryption is configured. You can see from the example below, that the CMK ARN is clearly defined and linked as well as the CMK alias.

If this is currently not configured, you can do so from the Edit button at the top of the Topics dashboard.

You can resolve with StackZone by enabling the SNS Encryption remediation.

To do this, head on over to Provisioning -> Baseline Services -> Config Rules Regional -> Amazon SNS, then look for the Remediation(s) card and enable SNS Topic Encrypted Remediation

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here