Enabling server-side encryption (SSE) for an Amazon SNS topic
You can enable server-side encryption (SSE) for a topic to protect its data. For more information about using SSE, see Encryption at rest.
All requests to topics with SSE enabled must use HTTPS and Signature Version 4.
This page shows how to enable, disable, and configure SSE for an existing Amazon SNS topic using the Amazon Web Services Management Console.
To enable server-side encryption (SSE) for an Amazon SNS topic using the Amazon Web Services Management Console
-
Sign in to the Amazon SNS console
. -
On the navigation panel, choose Topics.
-
On the Topics page, choose a topic and choose Actions, Edit.
-
Expand the Encryption section and do the following:
-
Choose Enable encryption.
-
Specify the Amazon KMS key. For more information, see Key terms.
For each KMS type, the Description, Account, and KMS ARN are displayed.
Important If you aren't the owner of the KMS, or if you log in with an account that doesn't have the
kms:ListAliases
andkms:DescribeKey
permissions, you won't be able to view information about the KMS on the Amazon SNS console.Ask the owner of the KMS to grant you these permissions. For more information, see the Amazon KMS API Permissions: Actions and Resources Reference in the Amazon Key Management Service Developer Guide.
-
The Amazon managed KMS for Amazon SNS (Default) alias/aws/sns is selected by default.
Note Keep the following in mind:
-
The first time you use the Amazon Web Services Management Console to specify the Amazon managed KMS for Amazon SNS for a topic, Amazon KMS creates the Amazon managed KMS for Amazon SNS.
-
Alternatively, the first time you use the
Publish
action on a topic with SSE enabled, Amazon KMS creates the Amazon managed KMS for Amazon SNS.
-
-
To use a custom KMS from your Amazon account, choose the Amazon KMS key field and then choose the custom KMS from the list.
Note For instructions on creating custom KMSs, see Creating Keys in the Amazon Key Management Service Developer Guide
-
To use a custom KMS ARN from your Amazon account or from another Amazon account, enter it into the Amazon KMS key field.
-
-
-
Choose Save changes.
SSE is enabled for your topic and the
MyTopic
page is displayed.The topic's Encryption status, Amazon Account, Customer master key (CMK), CMK ARN, and Description are displayed on the Encryption tab.