Creating data protection policies to secure message data (Console) - Amazon Simple Notification Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating data protection policies to secure message data (Console)

The number and size of Amazon SNS resources in an Amazon account are limited. For more information, see Amazon Simple Notification Service endpoints and quotas.

To create a data protection policy together with an Amazon SNS topic (Console)

Use this option to create a new data protection policy together with a standard Amazon SNS topic:

  1. Sign in to the Amazon SNS console.

  2. Choose a topic or create a new one. For more details on creating topics, see Creating an Amazon SNS topic.

  3. On the Create topic page, in the Details section, choose Standard.

    1. Enter a Name for the topic.

    2. (Optional) Enter a Display name for the topic.

  4. Expand Data protection policy.

  5. Choose a Configuration mode:

    • Basic – Define a data protection policy using a simple menu.

    • Advanced – Define a custom data protection policy using JSON.

  6. Choose the statement(s) that you'd like to add to your data protection policy. You can add audit, de-identify (mask or redact), and deny (block) statement types to the same data protection policy.

    1. Add audit statement – Configure which sensitive data to audit, what percentage of messages you want to audit for that data, and where to send audit logs.

      Note

      Only one audit statement is allowed per data protection policy or topic.

      1. Select data identifiers to define the sensitive data that you want to audit.

      2. For Audit sample rate, enter the percentage of messages to audit for sensitive information, up to a maximum of 99%.

      3. For Audit destination, select which Amazon Web Services to send the audit finding results, and enter a destination name for each Amazon Web Service that you use. You can select from the following Amazon Web Services:

        • Amazon CloudWatch – CloudWatch Logs is the Amazon standard logging solution. Using CloudWatch Logs, you can perform log analytics using Logs Insights (see samples here) and create metrics and alarms. CloudWatch Logs is where many services publish logs, which makes it easier to aggregate all logs using one solution. For information about Amazon CloudWatch, see the Amazon CloudWatch User Guide.

        • Amazon Kinesis Data Firehose – Kinesis Data Firehose satisfies the demands for real-time streaming to Splunk, OpenSearch, and Amazon Redshift for further log analytics. For information about Amazon Kinesis Data Firehose, see the Amazon Kinesis Data Firehose User Guide.

        • Amazon Simple Storage Service – Amazon S3 is an economical log destination for archival purposes. You may be required to retain logs for a period of years. In this case, you can put logs into Amazon S3 to save costs. For information about Amazon Simple Storage Service, see the Amazon Simple Storage Service User Guide.

    2. Add a de-identify statement – Configure the sensitive data you want to de-identify in the message, whether you want to mask or redact that data, and the accounts to stop delivery of that data.

      Note

      The de-identify operation is available for inbound messages only.

      1. For Data identifiers, select the sensitive data that you want to de-identify.

      2. For Define this de-identify statement for, select the Amazon accounts or IAM principals to which this de-identify statement applies. You can apply it to all Amazon accounts, or to specific Amazon accounts or IAM entities (account roots, roles, or users) that use account IDs or IAM entity ARNs. Separate multiple IDs or ARNs using a comma ( , ).

        The following IAM principals are supported:

        • IAM account principals – For example,arn:aws-cn:iam::Amazon-account-ID:root.

        • IAM role principals – For example, arn:aws-cn:iam::Amazon-account-ID:role/role-name.

        • IAM user principals – For example, arn:aws-cn:iam::Amazon-account-ID:user/user-name.

      3. For De-identify Option, select how you want to de-identify the sensitive data. The following options are supported:

        • Redact – Completely removes data. For example, email: classified@amazon.com becomes email: .

        • Mask – Replaces the data with single characters. For example, email: classified@amazon.com becomes email: *********************.

      4. (Optional) Continue to add de-identify statements as needed.

    3. Add deny statement – Configure which sensitive data to prevent from moving through your topic, and which principals to prevent from delivering that data.

      1. For data direction , choose the direction of the messages for the deny statement:

        • Inbound messages – Apply this deny statement to messages that are sent to the topic.

        • Outbound messages – Apply this deny statement to messages that the topic delivers to subscription endpoints.

      2. Choose the data identifiers to define the sensitive data that you want to deny.

      3. Choose the IAM principals that apply to this deny statement. You can apply it to all Amazon accounts, to specific Amazon Web Services accounts, or IAM entities (for example, account roots, roles, or users) that use account IDs or IAM entity ARNs. Separate multiple IDs or ARNs using a comma ( , ). The following IAM principals are supported:

        • IAM account principals – For example, arn:aws-cn:iam::Amazon-account-ID:root.

        • IAM role principals – For example, arn:aws-cn:iam::Amazon-account-ID:role/role-name.

        • IAM user principals – For example, arn:aws-cn:iam::Amazon-account-ID:user/user-name.

      4. (Optional) Continue to add deny statements as needed.