Amazon Simple Notification Service controls
These controls are related to Amazon SNS resources.
These controls may not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.
[SNS.1] SNS topics should be encrypted at-rest using Amazon KMS
Important
Security Hub retired this control in April 2024 from the Amazon Foundational Security Best Practices standard, but it is still included in the NIST SP 800-53 Rev. 5 standard. For more information, see Change log for Security Hub controls.
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)
Category: Protect > Data Protection > Encryption of data-at-rest
Severity: Medium
Resource type:
AWS::SNS::Topic
Amazon Config rule:
sns-encrypted-kms
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon SNS topic is encrypted at rest using keys managed in Amazon Key Management Service (Amazon KMS). The controls fails if the SNS topic doesn't use a KMS key for server-side encryption (SSE). By default, SNS stores messages and files using disk encryption. To pass this control, you must choose to use a KMS key for encryption instead. This adds an additional layer of security and provides more access control flexibility.
Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to Amazon. API permissions are required to decrypt the data before it can be read. We recommend encrypting SNS topics with KMS keys for an added layer of security.
Remediation
To enable SSE for an SNS topic, see Enabling server-side encryption (SSE) for an Amazon SNS topic in the Amazon Simple Notification Service Developer Guide. Before you can use SSE, you must also configure Amazon KMS key policies to allow encryption of topics and encryption and decryption of messages. For more information, see Configuring Amazon KMS permissions in the Amazon Simple Notification Service Developer Guide.
[SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic
Important
Security Hub retired this control in April 2024. For more information, see Change log for Security Hub controls.
Related requirements: NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2
Category: Identify > Logging
Severity: Medium
Resource type:
AWS::SNS::Topic
Amazon Config rule:
sns-topic-message-delivery-notification-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether logging is enabled for the delivery status of notification messages sent to an Amazon SNS topic for the endpoints. This control fails if the delivery status notification for messages is not enabled.
Logging is an important part of maintaining the reliability, availability, and performance of services. Logging message delivery status helps provide operational insights, such as the following:
Knowing whether a message was delivered to the Amazon SNS endpoint.
Identifying the response sent from the Amazon SNS endpoint to Amazon SNS.
Determining the message dwell time (the time between the publish timestamp and the hand off to an Amazon SNS endpoint).
Remediation
To configure delivery status logging for a topic, see Amazon SNS message delivery status in the Amazon Simple Notification Service Developer Guide.
[SNS.3] SNS topics should be tagged
Category: Identify > Inventory > Tagging
Severity: Low
Resource type:
AWS::SNS::Topic
Amazon Config rule: tagged-sns-topic (custom Security Hub rule)
Schedule type: Change triggered
Parameters: None
| Parameter | Description | Type | Allowed custom values | Security Hub default value |
|---|---|---|---|---|
requiredTagKeys
|
List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet Amazon requirements |
No default value
|
This control checks whether an Amazon SNS topic has tags with the specific keys defined in the parameter
requiredTagKeys. The control fails if the topic doesn’t have any tag keys or if it doesn’t have all the keys specified in the
parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence
of a tag key and fails if the topic isn't tagged with any key. System tags, which are automatically applied and begin with aws:,
are ignored.
A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see What is ABAC for Amazon? in the IAM User Guide.
Note
Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services, including Amazon Billing. For more tagging best practices, see Tagging your Amazon resources in the Amazon Web Services General Reference.
Remediation
To add tags to an SNS topic, see Configuring Amazon SNS topic tags in the Amazon Simple Notification Service Developer Guide.