How do I activate SSE encryption for Amazon SNS topics?

Resolution

You can use AWS Key Management Service (AWS KMS) keys to activate SSE and secure Amazon SNS data stored in your SNS topics.

Note:

• Amazon SNS SSE encrypts only the message body, not metadata such as the topic name, message ID, timestamp, or attributes.
• All requests to SNS topics with SSE activated must use HTTPS and Signature Version 4. For more information, see Securing Amazon SNS data with server-side encryption.
• If you use AWS KMS with Amazon SNS SSE, then additional charges occur. For more information, see AWS Key Management Service Pricing.

To activate SSE for SNS topics, use the AWS Management Console or the AWS Command Line Interface (AWS CLI).

Use the AWS Management Console

Complete the following steps:

1. Open the Amazon SNS console.

2. In the navigation pane, choose Topics.

3. Select your topic, and then choose Edit.

4. Expand Encryption, and then choose the toggle on.

5. For AWS KMS key, choose either the AWS managed key (alias/aws/sns) or a customer managed key.
   Note: If you don't see the AWS managed key, then make sure that you have the kms:ListAliases and kms:DescribeKey permissions. If you choose a customer managed key, then make sure that the key policy allows SNS to encrypt and decrypt messages.
   Example key policy:

   {
       "Effect": "Allow",
       "Principal": {
           "Service": "sns.amazonaws.com"
       },
       "Action": [
           "kms:Decrypt",
           "kms:GenerateDataKey"
       ],
       "Resource": "*",
       "Condition": {
           "StringEquals": {
               "kms:EncryptionContext:aws:sns:topicArn": "arn:aws:sns:your-region:123456789012:your-topic-name"
           }
       }
   }

   Note: Replace your-region with your AWS Region and 123456789012:your-topic-name with your topics Amazon Resource Name (ARN).

6. Choose Save changes.

For more information, see Setting up Amazon SNS topic encryption with server-side encryption.

Use the AWS CLI

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To use an AWS managed key to activate encryption for an existing topic, run the following set-topic-attributes command:

aws sns set-topic-attributes \
    --topic-arn arn:aws:sns:us-east-1:123456789012:your-topic-name \
    --attribute-name KmsMasterKeyId \
    --attribute-value alias/aws/sns \
    --region your-region

Note: Replace arn:aws:sns:us-east-1:123456789012:your-topic-name with your topics ARN, alias/aws/sns with your AWS managed key, and your-region with your Region.

To use a customer managed KMS key instead of the AWS managed key, add the following permissions statement to your KMS key policy:

{
    "Effect": "Allow",
    "Principal": {
        "Service": "sns.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "kms:EncryptionContext:aws:sns:topicArn": "arn:aws:sns:your-region:123456789012:your-topic-name"
        }
    }
}

Note: Replace your-region with your Region and 123456789012:your-topic-name with your topic's ARN.

To create a new encrypted topic, run the following create-topic command:

aws sns create-topic \
    --name YourEncryptedTopic \
    --attributes KmsMasterKeyId=alias/aws/sns \
    --region your-region

Note: Replace YourEncryptedTopic with your topic name, alias/aws/sns with your KMS key, and your-region with your Region.

Related information

Amazon SNS security best practices

Encrypting messages published to Amazon SNS with AWS KMS