Amazon SNS message data protection availability change - Amazon Simple Notification Service

Alternative architecture Viewing existing message data protection policies Disabling Amazon SNS message data protection

Important

Amazon SNS message data protection will no longer be available to new customers starting April 30, 2026. For more information and guidance on alternatives, see Amazon SNS message data protection availability change.

After careful consideration, the Amazon SNS message data protection feature will no longer be available to new customers effective on April 30, 2026. If you are an existing customer with SNS message data protection policies configured, you may continue to use the feature within those accounts. While we will not be introducing enhancements to the feature, we remain committed to providing security updates.

An Amazon Lambda-based architecture using Amazon Bedrock Guardrails is the recommended approach for customers seeking an alternative solution. This solution enables real-time sensitive data detection and protection with the flexibility to customize data protection to meet your specific requirements.

An example demonstrating this recommended architecture is available in the Amazon Samples repository on GitHub: Protect Sensitive Data in SNS Messages using Amazon Bedrock Guardrails. The example shows how to leverage Amazon Bedrock Guardrails and custom pattern matching for sensitive data detection. 

Architecture overview

The recommended Lambda-based architecture works as follows:

Publishers send messages to an inbound Amazon SNS topic.
A Lambda function subscribed to the inbound topic inspects message content.
The Lambda function leverages Amazon Bedrock Guardrails to detect sensitive data in the message and apply your policies:
- LOG – Log sensitive detection and publish the original message.
- BLOCK – Drop the message entirely.
- REDACT – Redact sensitive data and publish the redacted message.
Processed messages are published to your destination Amazon SNS topic for delivery to your topic subscribers.

For further guidance and sample code, see Protect Sensitive Data in SNS Messages using Amazon Bedrock Guardrails. 

If you currently use Amazon SNS message data protection, you can review your configured policies through the Amazon Web Services Management Console or Amazon CLI.

Using the Amazon Web Services Management Console

Navigate to the Amazon SNS console.
Select Topics from the navigation panel.
Choose a topic to view its details.
Check if a data protection policy is configured on the Data protection policy tab.

Using the Amazon CLI

To check if a specific topic has message data protection enabled, run the following command. Replace topic-arn with your Amazon SNS topic ARN.


aws sns get-data-protection-policy --resource-arn topic-arn

You can remove data protection policies from your Amazon SNS topics at any time, whether you're migrating to a Lambda-based alternative or no longer require data protection. The policy removal process can be completed through the Amazon Web Services Management Console, Amazon CLI, or your infrastructure as code (IaC) tools.

Using the Amazon Web Services Management Console

Navigate to the Amazon SNS console.
Select Topics from the navigation panel.
Choose the topic you want to modify.
Select Edit.
Go to the Data protection policy section.
Remove the data protection policy configuration associated with the topic.

Using the Amazon CLI

To disable message data protection, delete the data protection policy from your topic. Replace topic-arn with your Amazon SNS topic ARN.


aws sns put-data-protection-policy --resource-arn topic-arn --data-protection-policy ""

If you have additional questions, contact Amazon Support.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Message data protection

Data protection policies