Amazon Simple Notification Service (SNS) is a managed messaging service for application-to-application (A2A) and application-to-person (A2P) communication. SNS topics allows publisher systems to fanout messages to a large number of subscriber systems. Amazon SNS allows to encrypt messages when they are received. In the case that adversaries gain physical access to the storage medium or otherwise leak a message they are not able to access the data.

Ask Yourself Whether

• The topic contains sensitive data that could cause harm when leaked.
• There are compliance requirements for the service to store data encrypted.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is recommended to encrypt SNS topics that contain sensitive information.

To do so, create a master key and assign the SNS topic to it. Note that this system does not encrypt the following:

• Topic metadata (topic name and attributes)
• Message metadata (subject, message ID, timestamp, and attributes)
• Data protection policy
• Per-topic metrics

Then, make sure that any publishers have the kms:GenerateDataKey* and kms:Decrypt permissions for the AWS KMS key.

See AWS SNS Key Management Documentation for more information.

Sensitive Code Example

For aws_cdk.aws_sns.Topic:

from aws_cdk import (
    aws_sns as sns
)

class TopicStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        sns.Topic( # Sensitive, unencrypted by default
            self,
            "example"
        )

For aws_cdk.aws_sns.CfnTopic:

from aws_cdk import (
    aws_sns as sns
)

class TopicStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        sns.CfnTopic( # Sensitive, unencrypted by default
            self,
            "example"
        )

Compliant Solution

For aws_cdk.aws_sns.Topic:

from aws_cdk import (
    aws_sns as sns
)

class TopicStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        my_key = kms.Key(self, "key")
        sns.Topic(
            self,
            "example",
            master_key=my_key
        )

For aws_cdk.aws_sns.CfnTopic:

from aws_cdk import (
    aws_sns as sns
)

class TopicStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        my_key = kms.Key(self, "key")
        sns.CfnTopic(
            self,
            "example",
            kms_master_key_id=my_key.key_id
        )

See

• AWS Documentation - Encryption at rest
• Encrypting messages published to Amazon SNS with AWS KMS
• CWE - CWE-311 - Missing Encryption of Sensitive Data
• STIG Viewer - Application Security and Development: V-222588 - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest.