Enabling server-side encryption (SSE) for an Amazon SNS topic - Amazon Simple Notification Service
Amazon Web Services Management ConsoleAmazon SNS topic with server-side encryption
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling server-side encryption (SSE) for an Amazon SNS topic

With server-side encryption (SSE), you can store sensitive data in encrypted topics. SSE protects the contents of messages in Amazon SNS topics using keys that are managed in Amazon Key Management Service (Amazon KMS). For more information about server-side encryption with Amazon SNS, see Encryption at rest. For more about create Amazon KMS keys, see Creating keys in the Amazon Key Management Service Developer Guide.

Important

All requests to topics with SSE enabled must use HTTPS and Signature Version 4.

Enable server-side encryption (SSE) for an Amazon SNS topic using the Amazon Web Services Management Console

  1. Sign in to the Amazon SNS console.

  2. On the navigation panel, choose Topics.

  3. On the Topics page, choose a topic and choose Actions, Edit.

  4. Expand the Encryption section and do the following:

    1. Choose Enable encryption.

    2. Specify the Amazon KMS key. For more information, see Key terms.

      For each KMS type, the Description, Account, and KMS ARN are displayed.

      Important

      If you aren't the owner of the KMS, or if you log in with an account that doesn't have the kms:ListAliases and kms:DescribeKey permissions, you won't be able to view information about the KMS on the Amazon SNS console.

      Ask the owner of the KMS to grant you these permissions. For more information, see the Amazon KMS API Permissions: Actions and Resources Reference in the Amazon Key Management Service Developer Guide.

      • The Amazon managed KMS for Amazon SNS (Default) alias/aws/sns is selected by default.

        Note

        Keep the following in mind:

        • The first time you use the Amazon Web Services Management Console to specify the Amazon managed KMS for Amazon SNS for a topic, Amazon KMS creates the Amazon managed KMS for Amazon SNS.

        • Alternatively, the first time you use the Publish action on a topic with SSE enabled, Amazon KMS creates the Amazon managed KMS for Amazon SNS.

      • To use a custom KMS from your Amazon account, choose the KMS key field and then choose the custom KMS from the list.

        Note

        For instructions on creating custom KMSs, see Creating Keys in the Amazon Key Management Service Developer Guide

      • To use a custom KMS ARN from your Amazon account or from another Amazon account, enter it into the KMS key field.

  5. Choose Save changes.

    SSE is enabled for your topic and the MyTopic page is displayed.

    The topic's Encryption status, Amazon Account, Customer master key (CMK), CMK ARN, and Description are displayed on the Encryption tab.

Set up an Amazon SNS topic with server-side encryption

When creating your KMS key, use the following KMS key policy:

{ 
    "Effect": "Allow", 
    "Principal": { 
        "Service": "service.amazonaws.com" 
     },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*",
    "Condition": {
        "ArnLike": { 
            "aws:SourceArn": "arn:aws-cn:service:region:customer-account-id:resource-type/customer-resource-id" 
        },
        "StringEquals": { 
            "kms:EncryptionContext:aws:sns:topicArn": "arn:aws-cn:sns:your_region:customer-account-id:your_sns_topic_name" 
        }
    }
}