Enabling server-side encryption (SSE) for an Amazon SNS topic with an encrypted Amazon SQS queue subscribed
You can enable server-side encryption (SSE) for a topic to protect its data. To allow
Amazon SNS to send messages to encrypted Amazon SQS queues, the customer master key (CMK)
associated with the Amazon SQS queue must have a policy statement that grants Amazon SNS
service-principal access to the Amazon KMS API actions GenerateDataKey
and
Decrypt
. Because Amazon managed CMKs don't support policy modifications,
you must use a custom CMK. For more information about using SSE, see Encryption at rest.
This page shows how you can enable SSE for an Amazon SNS topic to which an encrypted Amazon SQS queue is subscribed, using the Amazon Web Services Management Console.
Step 1: To create a custom CMK
-
Sign in to the Amazon KMS console
with a user that has at least the AWSKeyManagementServicePowerUser
policy. -
Choose Create a key.
-
On the Add alias and description page, enter an Alias for your key (for example,
MyCustomCMK
) and then choose Next. -
On the Add tags page, choose Next.
-
On the Define key administrative permissions page, in the Key administrators section, choose an IAM role or an IAM user and then choose Next.
-
On the Define key usage permissions page, in the This account section, choose an IAM role or an IAM user and then choose Next.
-
On the Review and edit key policy page, add the following statement to the key policy, and then choose Finish.
{ "Sid": "Allow Amazon SNS to use this key", "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*" }
Your new custom CMK appears in the list of keys.
Step 2: To create an encrypted Amazon SNS topic
-
Sign in to the Amazon SNS console
. -
On the navigation panel, choose Topics.
-
Choose Create topic.
-
On the Create new topic page, for Name, enter a topic name (for example,
MyEncryptedTopic
) and then choose Create topic. -
Expand the Encryption section and do the following:
-
Choose Enable server-side encryption.
-
Specify the customer master key (CMK). For more information, see Key terms.
For each CMK type, the Description, Account, and CMK ARN are displayed.
Important If you aren't the owner of the CMK, or if you log in with an account that doesn't have the
kms:ListAliases
andkms:DescribeKey
permissions, you won't be able to view information about the CMK on the Amazon SNS console.Ask the owner of the CMK to grant you these permissions. For more information, see the Amazon KMS API Permissions: Actions and Resources Reference in the Amazon Key Management Service Developer Guide.
-
For Customer master key (CMK), choose MyCustomCMK which you created earlier and then choose Enable server-side encryption.
-
-
Choose Save changes.
SSE is enabled for your topic and the MyTopic page is displayed.
The topic's Encryption status, Amazon Account, Customer master key (CMK), CMK ARN, and Description are displayed on the Encryption tab.
Your new encrypted topic appears in the list of topics.
Step 3: To create and subscribe encrypted Amazon SQS queues
-
Sign in to the Amazon SQS console
. -
Choose Create New Queue.
-
On the Create New Queue page, do the following:
-
Enter a Queue Name (for example,
MyEncryptedQueue1
). -
Choose Standard Queue, and then choose Configure Queue.
-
Choose Use SSE.
-
For Amazon KMS Customer Master Key (CMK), choose MyCustomCMK which you created earlier, and then choose Create Queue.
-
-
Repeat the process to create a second queue (for example, named
MyEncryptedQueue2
).Your new encrypted queues appear in the list of queues.
-
On the Amazon SQS console, choose
MyEncryptedQueue1
andMyEncryptedQueue2
and then choose Queue Actions, Subscribe Queues to SNS Topic. -
In the Subscribe to a Topic dialog box, for Choose a Topic select MyEncryptedTopic, and then choose Subscribe.
Your encrypted queues' subscriptions to your encrypted topic are displayed in the Topic Subscription Result dialog box.
-
Choose OK.
Step 4: To publish a message to your encrypted topic
-
Sign in to the Amazon SNS console
. -
On the navigation panel, choose Topics.
-
From the list of topics, choose MyEncryptedTopic and then choose Publish message.
-
On the Publish a message page, do the following:
-
(Optional) In the Message details section, enter the Subject (for example,
Testing message publishing
). -
In the Message body section, enter the message body (for example,
My message body is encrypted at rest.
). -
Choose Publish message.
-
Your message is published to your subscribed encrypted queues.
Step 5: To verify message delivery
-
Sign in to the Amazon SQS console
. -
From the list of queues, choose MyEncryptedQueue1 and then choose Send and receive messages.
-
On the Send and receive messages in MyEncryptedQueue1 page, choose Poll for messages.
The message that you sent earlier is displayed.
-
Choose More Details to view your message.
-
When you're finished, choose Close.
-
Repeat the process for MyEncryptedQueue2.