Enabling server-side encryption (SSE) for an Amazon SNS topic with an encrypted Amazon SQS queue subscribed
You can enable server-side encryption (SSE) for a topic to protect its data. To allow Amazon SNS
to send messages to encrypted Amazon SQS queues, the customer managed key associated with the Amazon SQS queue
must have a policy statement that grants Amazon SNS service-principal access to the Amazon KMS API
actions GenerateDataKey
and Decrypt
. For more information about
using SSE, see Encryption at rest.
This page shows how you can enable SSE for an Amazon SNS topic to which an encrypted Amazon SQS queue is subscribed, using the Amazon Web Services Management Console.
Step 1: Create a custom KMS key
-
Sign in to the Amazon KMS console
with a user that has at least the AWSKeyManagementServicePowerUser
policy. -
Choose Create a key.
-
To create a symmetric encryption KMS key, for Key type choose Symmetric.
For information about how to create an asymmetric KMS key in the Amazon KMS console, see Creating asymmetric KMS keys (console).
-
In Key usage, the Encrypt and decrypt option is selected for you.
For information about how to create KMS keys that generate and verify MAC codes, see Creating HMAC KMS keys.
For information about the Advanced options, see Special-purpose keys.
-
Choose Next.
-
Type an alias for the KMS key. The alias name cannot begin with
aws/
. Theaws/
prefix is reserved by Amazon Web Services to represent Amazon managed keys in your account.Note
Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see ABAC for Amazon KMS and Using aliases to control access to KMS keys.
An alias is a display name that you can use to identify the KMS key. We recommend that you choose an alias that indicates the type of data you plan to protect or the application you plan to use with the KMS key.
Aliases are required when you create a KMS key in the Amazon Web Services Management Console. They are optional when you use the CreateKey operation.
-
(Optional) Type a description for the KMS key.
You can add a description now or update it any time unless the key state is
Pending Deletion
orPending Replica Deletion
. To add, change, or delete the description of an existing customer managed key, edit the description in the Amazon Web Services Management Console or use the UpdateKeyDescription operation. -
(Optional) Type a tag key and an optional tag value. To add more than one tag to the KMS key, choose Add tag.
Note
Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for Amazon KMS and Using tags to control access to KMS keys.
When you add tags to your Amazon resources, Amazon generates a cost allocation report with usage and costs aggregated by tags. Tags can also be used to control access to a KMS key. For information about tagging KMS keys, see Tagging keys and ABAC for Amazon KMS.
-
Choose Next.
-
Select the IAM users and roles that can administer the KMS key.
Note
This key policy gives the Amazon Web Services account full control of this KMS key. It allows account administrators to use IAM policies to give other principals permission to manage the KMS key. For details, see Default key policy.
IAM best practices discourage the use of IAM users with long-term credentials. Whenever possible, use IAM roles, which provide temporary credentials. For details, see Security best practices in IAM in the IAM User Guide.
-
(Optional) To prevent the selected IAM users and roles from deleting this KMS key, in the Key deletion section at the bottom of the page, clear the Allow key administrators to delete this key check box.
-
Choose Next.
-
Select the IAM users and roles that can use the key in cryptographic operations. Choose Next.
-
On the Review and edit key policy page, add the following statement to the key policy, and then choose Finish.
{ "Sid": "Allow Amazon SNS to use this key", "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*" }
Your new customer managed key appears in the list of keys.
Step 2: Create an encrypted Amazon SNS topic
-
Sign in to the Amazon SNS console
. -
On the navigation panel, choose Topics.
-
Choose Create topic.
-
On the Create new topic page, for Name, enter a topic name (for example,
MyEncryptedTopic
) and then choose Create topic. -
Expand the Encryption section and do the following:
-
Choose Enable server-side encryption.
-
Specify the customer managed key. For more information, see Key terms.
For each customer managed key type, the Description, Account, and customer managed key ARN are displayed.
Important
If you aren't the owner of the customer managed key, or if you log in with an account that doesn't have the
kms:ListAliases
andkms:DescribeKey
permissions, you won't be able to view information about the customer managed key on the Amazon SNS console.Ask the owner of the customer managed key to grant you these permissions. For more information, see the Amazon KMS API Permissions: Actions and Resources Reference in the Amazon Key Management Service Developer Guide.
-
For customer managed key, choose MyCustomKey which you created earlier and then choose Enable server-side encryption.
-
-
Choose Save changes.
SSE is enabled for your topic and the MyTopic page is displayed.
The topic's Encryption status, Amazon Account, customer managed key, customer managed key ARN, and Description are displayed on the Encryption tab.
Your new encrypted topic appears in the list of topics.
Step 3: Create and subscribe encrypted Amazon SQS queues
-
Sign in to the Amazon SQS console
. -
Choose Create New Queue.
-
On the Create New Queue page, do the following:
-
Enter a Queue Name (for example,
MyEncryptedQueue1
). -
Choose Standard Queue, and then choose Configure Queue.
-
Choose Use SSE.
-
For Amazon KMS key, choose MyCustomKey which you created earlier, and then choose Create Queue.
-
-
Repeat the process to create a second queue (for example, named
MyEncryptedQueue2
).Your new encrypted queues appear in the list of queues.
-
On the Amazon SQS console, choose
MyEncryptedQueue1
andMyEncryptedQueue2
and then choose Queue Actions, Subscribe Queues to SNS Topic. -
In the Subscribe to a Topic dialog box, for Choose a Topic select MyEncryptedTopic, and then choose Subscribe.
Your encrypted queues' subscriptions to your encrypted topic are displayed in the Topic Subscription Result dialog box.
-
Choose OK.
Step 4: Publish a message to your encrypted topic
-
Sign in to the Amazon SNS console
. -
On the navigation panel, choose Topics.
-
From the list of topics, choose MyEncryptedTopic and then choose Publish message.
-
On the Publish a message page, do the following:
-
(Optional) In the Message details section, enter the Subject (for example,
Testing message publishing
). -
In the Message body section, enter the message body (for example,
My message body is encrypted at rest.
). -
Choose Publish message.
-
Your message is published to your subscribed encrypted queues.
Step 5: Verify message delivery
-
Sign in to the Amazon SQS console
. -
From the list of queues, choose MyEncryptedQueue1 and then choose Send and receive messages.
-
On the Send and receive messages in MyEncryptedQueue1 page, choose Poll for messages.
The message that you sent earlier is displayed.
-
Choose More Details to view your message.
-
When you're finished, choose Close.
-
Repeat the process for MyEncryptedQueue2.