# Managing Amazon SNS encryption keys and costs
<a name="sns-key-management"></a>

The following sections provide information about working with keys managed in Amazon Key Management Service (Amazon KMS).

**Note**  
Amazon SNS only supports symmetric encryption KMS keys. You cannot use any other type of KMS key to encrypt your service resources. For help determining whether a KMS key is a symmetric encryption key, see [Identifying asymmetric KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/find-symm-asymm.html).

## Estimating Amazon KMS costs
<a name="sse-estimate-kms-usage-costs"></a>

To predict costs and better understand your Amazon bill, you might want to know how often Amazon SNS uses your Amazon KMS key.

**Note**  
Although the following formula can give you a very good idea of expected costs, actual costs might be higher because of the distributed nature of Amazon SNS.

To calculate the number of API requests (`R`) *per topic*, use the following formula:

```
R = B / D * (2 * P)
```

`B` is the billing period (in seconds).

`D` is the data key reuse period (in seconds—Amazon SNS reuses a data key for up to 5 minutes).

`P` is the number of publishing [principals](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements.html#Principal) that send to the Amazon SNS topic.

The following are example calculations. For exact pricing information, see [Amazon Key Management Service Pricing](http://www.amazonaws.cn/kms/pricing/).

### Example 1: Calculating the number of Amazon KMS API calls for 1 publisher and 1 topic
<a name="example-1-topic-1-publisher"></a>

This example assumes the following:
+ The billing period is January 1-31 (2,678,400 seconds).
+ The data key reuse period is 5 minutes (300 seconds).
+ There is 1 topic.
+ There is 1 publishing principal.

```
2,678,400 / 300 * (2 * 1) = 17,856
```

### Example 2: Calculating the number of Amazon KMS API calls for multiple publishers and 2 topics
<a name="example-2-topics-multiple-publishers"></a>

This example assumes the following:
+ The billing period is February 1-28 (2,419,200 seconds).
+ The data key reuse period is 5 minutes (300 seconds).
+ There are 2 topics.
+ The first topic has 3 publishing principals.
+ The second topic has 5 publishing principals.

```
(2,419,200 / 300 * (2 * 3)) + (2,419,200 / 300 * (2 * 5)) = 129,024
```

## Configuring Amazon KMS permissions
<a name="sns-what-permissions-for-sse"></a>

Before you can use SSE, you must configure Amazon KMS key policies to allow encryption of topics and encryption and decryption of messages. For examples and more information about Amazon KMS permissions, see [Amazon KMS API Permissions: Actions and Resources Reference](https://docs.amazonaws.cn/kms/latest/developerguide/kms-api-permissions-reference.html) in the *Amazon Key Management Service Developer Guide*. For details on how to set up an Amazon SNS topic with server-side encryption, see [Additional information](sns-enable-encryption-for-topic.md#set-up-topic-with-sse).

**Note**  
You can also manage permissions for symmetric encryption KMS keys using IAM policies. For more information, see [Using IAM Policies with Amazon KMS](https://docs.amazonaws.cn/kms/latest/developerguide/iam-policies.html).  
While you can configure global permissions to send to and receive from Amazon SNS, Amazon KMS requires explicitly naming the full ARN of KMSs in specific regions in the `Resource` section of an IAM policy.

You must also ensure that the key policies of the Amazon KMS key allow the necessary permissions. To do this, name the principals that produce and consume encrypted messages in Amazon SNS as users in the KMS key policy. 

Alternatively, you can specify the required Amazon KMS actions and KMS ARN in an IAM policy assigned to the principals that publish and subscribe to receive encrypted messages in Amazon SNS. For more information, see [Managing Access to Amazon KMS](https://docs.amazonaws.cn/kms/latest/developerguide/control-access-overview.html#managing-access) in the *Amazon Key Management Service Developer Guide*.

If selecting a customer-managed key for your Amazon SNS topic and you are using aliases to control access to KMS keys using IAM policies or KMS key policies with the condition key `kms:ResourceAliases`, ensure that the customer-managed key that is selected also has an alias associated. For more information on using alias to control access to KMS keys, see [Using aliases to control access to KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/alias-authorization.html) in the *Amazon Key Management Service Developer Guide*.

### Allow a user to send messages to a topic with SSE
<a name="send-to-encrypted-topic"></a>

The publisher must have the `kms:GenerateDataKey*` and `kms:Decrypt` permissions for the Amazon KMS key.

```
{
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "kms:GenerateDataKey*",
      "kms:Decrypt"
    ],
    "Resource": "arn:aws-cn:kms:us-east-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
  }, {
    "Effect": "Allow",
    "Action": [
      "sns:Publish"
    ],
    "Resource": "arn:aws-cn:sns:*:123456789012:MyTopic"
  }]
}
```

### Enable compatibility between event sources from Amazon services and encrypted topics
<a name="compatibility-with-aws-services"></a>

Several Amazon services publish events to Amazon SNS topics. To allow these event sources to work with encrypted topics, you must perform the following steps.

1. Use a customer managed key. For more information, see [Creating Keys](https://docs.amazonaws.cn/kms/latest/developerguide/create-keys.html) in the *Amazon Key Management Service Developer Guide*.

1. To allow the Amazon service to have the `kms:GenerateDataKey*` and `kms:Decrypt` permissions, add the following statement to the KMS policy.

   ```
   {
     "Statement": [{
       "Effect": "Allow",
       "Principal": {
         "Service": "{{service}}.amazonaws.com"
       },
       "Action": [
         "kms:GenerateDataKey*",
         "kms:Decrypt"
       ],
       "Resource": "*"
     }]
   }
   ```    
[See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/sns/latest/dg/sns-key-management.html)
**Note**  
Some Amazon SNS event sources require you to provide an IAM role (rather than the service principal) in the Amazon KMS key policy:  
[Amazon EC2 Auto Scaling](https://docs.amazonaws.cn/autoscaling/ec2/userguide/ASGettingNotifications.html)
[Amazon Elastic Transcoder](https://docs.amazonaws.cn/elastictranscoder/latest/developerguide/notifications.html)
[Amazon CodePipeline](https://docs.amazonaws.cn/codepipeline/latest/userguide/approvals.html#approvals-configuration-options)
[Amazon Config](https://docs.amazonaws.cn/config/latest/developerguide/notifications-for-AWS-Config.html)
[Amazon Elastic Beanstalk](https://docs.amazonaws.cn/elasticbeanstalk/latest/dg/using-features.managing.sns.html)
[Amazon IoT](https://docs.amazonaws.cn/iot/latest/developerguide/iot-sns-rule.html)
[EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/ibhow-integrations.html#integ-sns-encrypted)

1. Add the `aws:SourceAccount` and `aws:SourceArn` condition keys to the KMS resource policy to further protect the KMS key from [confused deputy](https://docs.amazonaws.cn/IAM/latest/UserGuide/confused-deputy.html) attacks. Refer to service specific documentation list (above) for exact details in each case.
**Important**  
Adding the `aws:SourceAccount`, `aws:SourceArn`, and `aws:SourceOrgID` to a Amazon KMS policy is not supported for EventBridge-to-encrypted topics.

   ```
   {
     "Effect": "Allow",
     "Principal": {
       "Service": "service.amazonaws.com"
     },
     "Action": [
       "kms:GenerateDataKey*",
       "kms:Decrypt"
     ],
     "Resource": "*",
     "Condition": {
       "StringEquals": {
         "aws:SourceAccount": "{{customer-account-id}}"
       },
       "ArnLike": {
         "aws:SourceArn": "arn:aws-cn:service:region:{{customer-account-id}}:resource-type:{{customer-resource-id}}"
       }
     }
   }
   ```

1. [Enable SSE for your topic](sns-enable-encryption-for-topic.md) using your KMS.

1. Provide the ARN of the encrypted topic to the event source.

## Amazon KMS errors
<a name="sse-troubleshooting-errors"></a>

When you work with Amazon SNS and Amazon KMS, you might encounter errors. The following list describes the errors and possible troubleshooting solutions.

**KMSAccessDeniedException**  
The ciphertext references a key that doesn't exist or that you don't have access to.  
HTTP Status Code: 400

**KMSDisabledException**  
The request was rejected because the specified KMS isn't enabled.  
HTTP Status Code: 400

**KMSInvalidStateException**  
The request was rejected because the state of the specified resource isn't valid for this request. For more information, see [Key states of Amazon KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/key-state.html) in the *Amazon Key Management Service Developer Guide*.  
HTTP Status Code: 400

**KMSNotFoundException**  
The request was rejected because the specified entity or resource can't be found.  
HTTP Status Code: 400

**KMSOptInRequired**  
The Amazon access key ID needs a subscription for the service.  
HTTP Status Code: 403

**KMSThrottlingException**  
The request was denied due to request throttling. For more information about throttling, see [Quotas](https://docs.amazonaws.cn/kms/latest/developerguide/limits.html#requests-per-second) in the *Amazon Key Management Service Developer Guide*.  
HTTP Status Code: 400