# Securing Amazon SNS data with server-side encryption
<a name="sns-server-side-encryption"></a>

Server-side encryption (SSE) lets you store sensitive data in encrypted topics by protecting the contents of messages in Amazon SNS topics using keys managed in Amazon Key Management Service (Amazon KMS).

SSE encrypts messages as soon as Amazon SNS receives them. The messages are stored in encrypted form, and only decrypted when they are sent.
+ For information about managing SSE using the Amazon Web Services Management Console or the Amazon SDK for Java (by setting the `KmsMasterKeyId` attribute using the `[CreateTopic](https://docs.amazonaws.cn/sns/latest/api/API_CreateTopic.html)` and `[SetTopicAttributes](https://docs.amazonaws.cn/sns/latest/api/API_SetTopicAttributes.html)` API actions), see [Setting up Amazon SNS topic encryption with server-side encryption](sns-enable-encryption-for-topic.md). 
+ For information about creating encrypted topics using Amazon CloudFormation (by setting the `KmsMasterKeyId` property using the `[AWS::SNS::Topic](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html)` resource), see the *Amazon CloudFormation User Guide*.

**Important**  
All requests to topics with SSE enabled must use HTTPS and [Signature Version 4](https://docs.amazonaws.cn/general/latest/gr/signature-version-4.html).  
For information about compatibility of other services with encrypted topics, see your service documentation.  
Amazon SNS only supports symmetric encryption KMS keys. You cannot use any other type of KMS key to encrypt your service resources. For help determining whether a KMS key is a symmetric encryption key, see [Identifying asymmetric KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/find-symm-asymm.html).

Amazon KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. When you use Amazon SNS with Amazon KMS, the [data keys](#sse-key-terms) that encrypt your message data are also encrypted and stored with the data they protect.

The following are benefits of using Amazon KMS:
+ You can create and manage the [Amazon KMS key](#sse-key-terms) yourself.
+ You can also use Amazon-managed KMS keys for Amazon SNS, which are unique for each account and region.
+ The Amazon KMS security standards can help you meet encryption-related compliance requirements.

For more information, see [What is Amazon Key Management Service?](https://docs.amazonaws.cn/kms/latest/developerguide/overview.html) in the *Amazon Key Management Service Developer Guide*.

## Encryption scope
<a name="what-does-sse-encrypt"></a>

SSE encrypts the body of a message in an Amazon SNS topic.

SSE doesn't encrypt the following:
+ Topic metadata (topic name and attributes)
+ Message metadata (subject, message ID, timestamp, and attributes)
+ Data protection policy 
+ Per-topic metrics

**Note**  
A message is encrypted only if it is sent after the encryption of a topic is enabled. Amazon SNS doesn't encrypt backlogged messages.
Any encrypted message remains encrypted even if the encryption of its topic is disabled.

## Key terms
<a name="sse-key-terms"></a>

The following key terms can help you better understand the functionality of SSE. For detailed descriptions, see the *[Amazon Simple Notification Service API Reference](https://docs.amazonaws.cn/sns/latest/api/)*.

**Data key**  
The data encryption key (DEK) responsible for encrypting the contents of Amazon SNS messages.  
For more information, see [Data Keys](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#data-keys) in the *Amazon Key Management Service Developer Guide* and [Envelope Encryption](https://docs.amazonaws.cn/encryption-sdk/latest/developer-guide/how-it-works.html#envelope-encryption) in the *Amazon Encryption SDK Developer Guide*.

**Amazon KMS key ID**  
The alias, alias ARN, key ID, or key ARN of an Amazon KMS key, or a custom Amazon KMS—in your account or in another account. While the alias of the Amazon managed Amazon KMS for Amazon SNS is always `alias/aws/sns`, the alias of a custom Amazon KMS can, for example, be `alias/{{MyAlias}}`. You can use these Amazon KMS keys to protect the messages in Amazon SNS topics.   
Keep the following in mind:  
+ The first time you use the Amazon Web Services Management Console to specify the Amazon managed KMS for Amazon SNS for a topic, Amazon KMS creates the Amazon managed KMS for Amazon SNS.
+ Alternatively, the first time you use the `Publish` action on a topic with SSE enabled, Amazon KMS creates the Amazon managed KMS for Amazon SNS.
You can create Amazon KMS keys, define the policies that control how Amazon KMS keys can be used, and audit Amazon KMS usage using the **Amazon KMS keys** section of the Amazon KMS console or the `[CreateKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_CreateKey.html)` Amazon KMS action. For more information, see [Amazon KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#master_keys) and [Creating Keys](https://docs.amazonaws.cn/kms/latest/developerguide/create-keys.html) in the *Amazon Key Management Service Developer Guide*. For more examples of Amazon KMS identifiers, see [KeyId](https://docs.amazonaws.cn/kms/latest/APIReference/API_DescribeKey.html#API_DescribeKey_RequestParameters) in the *Amazon Key Management Service API Reference*. For information about finding Amazon KMS identifiers, see [Find the Key ID and ARN](https://docs.amazonaws.cn/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) in the *Amazon Key Management Service Developer Guide*.  
There are additional charges for using Amazon KMS. For more information, see [Estimating Amazon KMS costs](sns-key-management.md#sse-estimate-kms-usage-costs) and [Amazon Key Management Service Pricing](http://www.amazonaws.cn/kms/pricing).