Securing Amazon SNS data with server-side encryption - Amazon Simple Notification Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Securing Amazon SNS data with server-side encryption

Server-side encryption (SSE) lets you store sensitive data in encrypted topics by protecting the contents of messages in Amazon SNS topics using keys managed in Amazon Key Management Service (Amazon KMS).

SSE encrypts messages as soon as Amazon SNS receives them. The messages are stored in encrypted form, and only decrypted when they are sent.

Important

All requests to topics with SSE enabled must use HTTPS and Signature Version 4.

For information about compatibility of other services with encrypted topics, see your service documentation.

Amazon SNS only supports symmetric encryption KMS keys. You cannot use any other type of KMS key to encrypt your service resources. For help determining whether a KMS key is a symmetric encryption key, see Identifying asymmetric KMS keys.

Amazon KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. When you use Amazon SNS with Amazon KMS, the data keys that encrypt your message data are also encrypted and stored with the data they protect.

The following are benefits of using Amazon KMS:

  • You can create and manage the Amazon KMS key yourself.

  • You can also use Amazon-managed KMS keys for Amazon SNS, which are unique for each account and region.

  • The Amazon KMS security standards can help you meet encryption-related compliance requirements.

For more information, see What is Amazon Key Management Service? in the Amazon Key Management Service Developer Guide.

Encryption scope

SSE encrypts the body of a message in an Amazon SNS topic.

SSE doesn't encrypt the following:

  • Topic metadata (topic name and attributes)

  • Message metadata (subject, message ID, timestamp, and attributes)

  • Data protection policy

  • Per-topic metrics

Note
  • A message is encrypted only if it is sent after the encryption of a topic is enabled. Amazon SNS doesn't encrypt backlogged messages.

  • Any encrypted message remains encrypted even if the encryption of its topic is disabled.

Key terms

The following key terms can help you better understand the functionality of SSE. For detailed descriptions, see the Amazon Simple Notification Service API Reference.

Data key

The data encryption key (DEK) responsible for encrypting the contents of Amazon SNS messages.

For more information, see Data Keys in the Amazon Key Management Service Developer Guide and Envelope Encryption in the Amazon Encryption SDK Developer Guide.

Amazon KMS key ID

The alias, alias ARN, key ID, or key ARN of an Amazon KMS key, or a custom Amazon KMS—in your account or in another account. While the alias of the Amazon managed Amazon KMS for Amazon SNS is always alias/aws/sns, the alias of a custom Amazon KMS can, for example, be alias/MyAlias. You can use these Amazon KMS keys to protect the messages in Amazon SNS topics.

Note

Keep the following in mind:

  • The first time you use the Amazon Web Services Management Console to specify the Amazon managed KMS for Amazon SNS for a topic, Amazon KMS creates the Amazon managed KMS for Amazon SNS.

  • Alternatively, the first time you use the Publish action on a topic with SSE enabled, Amazon KMS creates the Amazon managed KMS for Amazon SNS.

You can create Amazon KMS keys, define the policies that control how Amazon KMS keys can be used, and audit Amazon KMS usage using the Amazon KMS keys section of the Amazon KMS console or the CreateKey Amazon KMS action. For more information, see Amazon KMS keys and Creating Keys in the Amazon Key Management Service Developer Guide. For more examples of Amazon KMS identifiers, see KeyId in the Amazon Key Management Service API Reference. For information about finding Amazon KMS identifiers, see Find the Key ID and ARN in the Amazon Key Management Service Developer Guide.

Important

There are additional charges for using Amazon KMS. For more information, see Estimating Amazon KMS costs and Amazon Key Management Service Pricing.