Enabling server-side encryption (SSE) for an Amazon SNS topic - Amazon Simple Notification Service
Amazon Web Services Management Console
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling server-side encryption (SSE) for an Amazon SNS topic

You can enable server-side encryption (SSE) for a topic to protect its data. For more information about using SSE, see Encryption at rest.

Important

All requests to topics with SSE enabled must use HTTPS and Signature Version 4.

This page shows how to enable, disable, and configure SSE for an existing Amazon SNS topic using the Amazon Web Services Management Console.

To enable server-side encryption (SSE) for an Amazon SNS topic using the Amazon Web Services Management Console

  1. Sign in to the Amazon SNS console.

  2. On the navigation panel, choose Topics.

  3. On the Topics page, choose a topic and choose Actions, Edit.

  4. Expand the Encryption section and do the following:

    1. Choose Enable encryption.

    2. Specify the Amazon KMS key. For more information, see Key terms.

      For each KMS type, the Description, Account, and KMS ARN are displayed.

      Important

      If you aren't the owner of the KMS, or if you log in with an account that doesn't have the kms:ListAliases and kms:DescribeKey permissions, you won't be able to view information about the KMS on the Amazon SNS console.

      Ask the owner of the KMS to grant you these permissions. For more information, see the Amazon KMS API Permissions: Actions and Resources Reference in the Amazon Key Management Service Developer Guide.

      • The Amazon managed KMS for Amazon SNS (Default) alias/aws/sns is selected by default.

        Note

        Keep the following in mind:

        • The first time you use the Amazon Web Services Management Console to specify the Amazon managed KMS for Amazon SNS for a topic, Amazon KMS creates the Amazon managed KMS for Amazon SNS.

        • Alternatively, the first time you use the Publish action on a topic with SSE enabled, Amazon KMS creates the Amazon managed KMS for Amazon SNS.

      • To use a custom KMS from your Amazon account, choose the Amazon KMS key field and then choose the custom KMS from the list.

        Note

        For instructions on creating custom KMSs, see Creating Keys in the Amazon Key Management Service Developer Guide

      • To use a custom KMS ARN from your Amazon account or from another Amazon account, enter it into the Amazon KMS key field.

  5. Choose Save changes.

    SSE is enabled for your topic and the MyTopic page is displayed.

    The topic's Encryption status, Amazon Account, Customer master key (CMK), CMK ARN, and Description are displayed on the Encryption tab.