Enabling server-side encryption (SSE) for an Amazon SNS topic
With server-side encryption (SSE), you can store sensitive data in encrypted topics. SSE protects the contents of messages in Amazon SNS topics using keys that are managed in Amazon Key Management Service (Amazon KMS). For more information about server-side encryption with Amazon SNS, see Encryption at rest. For more about create Amazon KMS keys, see Creating keys in the Amazon Key Management Service Developer Guide.
Important
All requests to topics with SSE enabled must use HTTPS and Signature Version 4.
Enable server-side encryption (SSE) for an Amazon SNS topic using the Amazon Web Services Management Console
-
Sign in to the Amazon SNS console
. -
On the navigation panel, choose Topics.
-
On the Topics page, choose a topic and choose Actions, Edit.
-
Expand the Encryption section and do the following:
-
Choose Enable encryption.
-
Specify the Amazon KMS key. For more information, see Key terms.
For each KMS type, the Description, Account, and KMS ARN are displayed.
Important
If you aren't the owner of the KMS, or if you log in with an account that doesn't have the
kms:ListAliases
andkms:DescribeKey
permissions, you won't be able to view information about the KMS on the Amazon SNS console.Ask the owner of the KMS to grant you these permissions. For more information, see the Amazon KMS API Permissions: Actions and Resources Reference in the Amazon Key Management Service Developer Guide.
-
The Amazon managed KMS for Amazon SNS (Default) alias/aws/sns is selected by default.
Note
Keep the following in mind:
-
The first time you use the Amazon Web Services Management Console to specify the Amazon managed KMS for Amazon SNS for a topic, Amazon KMS creates the Amazon managed KMS for Amazon SNS.
-
Alternatively, the first time you use the
Publish
action on a topic with SSE enabled, Amazon KMS creates the Amazon managed KMS for Amazon SNS.
-
-
To use a custom KMS from your Amazon account, choose the KMS key field and then choose the custom KMS from the list.
Note
For instructions on creating custom KMSs, see Creating Keys in the Amazon Key Management Service Developer Guide
-
To use a custom KMS ARN from your Amazon account or from another Amazon account, enter it into the KMS key field.
-
-
-
Choose Save changes.
SSE is enabled for your topic and the
MyTopic
page is displayed.The topic's Encryption status, Amazon Account, Customer master key (CMK), CMK ARN, and Description are displayed on the Encryption tab.
Set up an Amazon SNS topic with server-side encryption
When creating your KMS key, use the following KMS key policy:
{ "Effect": "Allow", "Principal": { "Service": "
service
.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws-cn:service
:region
:customer-account-id
:resource-type
/customer-resource-id
" }, "StringEquals": { "kms:EncryptionContext:aws:sns:topicArn": "arn:aws-cn:sns:your_region
:customer-account-id
:your_sns_topic_name
" } } }
Impact on consumers
When SSE is enabled for an Amazon SNS topic, the process of consuming messages remains unchanged for the subscribers. Amazon manages the encryption and decryption process using KMS. Therefore, subscribers do not need to make any changes to their existing setup to handle encrypted messages. Amazon ensures that messages are encrypted at rest and automatically decrypted before delivery to the subscribers. This means that subscribers will continue to receive and process messages as they did before encryption was enabled, without requiring any additional configuration or decryption logic. Additionally, Amazon recommends using HTTPS to ensure secure transmission of messages.