How To

Encryption at rest for SNS

How to enforce encryption at rest to all your Amazon SNS topics.

Turbot Team
5 min. read - May 31, 2021
How to enforce encryption at rest to all your Amazon SNS topics.

Amazon Simple Notification Service (Amazon SNS is a messaging Platform as a Service (PaaS) that is frequently used as part of cloud-native, loosely-coupled application architectures (e.g. microservices, distributed systems, etc.). Turbot Guardrails itself uses SNS in conjunction with CloudWatch events and SQS as a highly reliable and subscribable message queue. If your SNS topics are processing sensitive data, it makes sense to encrypt them in transit and at rest.

This post looks at how Turbot Guardrails can automate checking and enforcement of encryption at rest for your Amazon SNS topics.

Traditional Workflow

In a cloud native architecture, SNS topics are often created programmatically i.e. a software factory that creates new lambda functions, might also create a new SNS topic to enable pub/sub messaging for the function. This means that your large scale applications may have hundreds or thousands of topics under management.

Furthermore, limitations in the past with cross service KMS key access prevented some applications from using encryption with SNS. If your applications were built a few years ago, those applications may not have updated their architecture and could still be generating new topics without encryption. Manually looking for them and remediating the issues is a tedious and time consuming task.

Get it done with Turbot Guardrails

In Turbot Guardrails, Amazon SNS Topics guardrails are readily available to control your cloud resource configurations. We can set the Turbot Guardrails automation AWS > SNS > Topic > Encryption at Rest policy in just a few clicks:

Setting the configuration via Turbot Guardrails Terraform Provider is just as easy:

After setting these policies, Turbot Guardrails will identify all SNS Topics without a configured AWS KMS managed key, and then handle remediation (i.e. set the correct encryption configuration).

If you are not yet ready to enforce remediation, you can still assess your environment's SNS encryption compliance by setting the value of the policy to Check: AWS managed key or higher at the Turbot level. In 'Check' mode Turbot Guardrails will alarm on Amazon SNS Topics that do not have encryption at rest in place. After review of the alarms, selectively apply the enforcement settings or create exceptions as desired.

Given that encryption may not be applicable for all topics, make use of Turbot Guardrails policy exceptions and time-based expiration settings features to mark exceptions to the rule or automatically reset a configuration when the exception expires.

Make it happen!

See for yourself how easy it is to manage your encryption configurations across your cloud resources. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!