Message security for FIFO topics
You can choose to have Amazon SNS and Amazon SQS encrypt messages sent to FIFO topics and queues,
using Amazon Key Management Service (Amazon KMS)
Note
Adding encryption to an existing FIFO topic or queue doesn't encrypt any backlogged messages, and removing encryption from a topic or queue leaves backlogged messages encrypted.
SNS FIFO topics decrypt the messages immediately before delivering them to subscribed
endpoints. SQS FIFO queues decrypt the message just before returning them to the consumer
application. For more information, see Data encryption and the Encrypting messages published to Amazon SNS with Amazon KMS
In addition, SNS FIFO topics and SQS FIFO queues support message privacy with interface VPC endpoints powered by Amazon PrivateLink. Using interface endpoints,
you can send messages from Amazon Virtual Private Cloud (Amazon VPC) subnets to FIFO topics and queues without
traversing the public internet. This model keeps your messaging within the Amazon
infrastructure and network, which enhances the overall security of your application. When you
use Amazon PrivateLink, you don't need to set up an internet gateway, network address translation
(NAT), or virtual private network (VPN). For more information, see Internetwork traffic privacy and the Securing messages published to Amazon SNS with Amazon PrivateLink
SNS FIFO topics also support dead-letter queues and message storage across Availability Zones. For more information, see Message durability for FIFO topics.