Securing Your Deployed SNS Topics: Enabling At-Rest Encryption with AWS KMS

Securing Your Deployed SNS Topics: Enabling At-Rest Encryption with AWS KMS

Introduction:-

In AWS, SNS (Simple Notification Service) provides a scalable and flexible messaging service. To ensure the confidentiality and #security of sensitive data, it is important to encrypt SNS topics at rest. #AWSKeyManagementService (KMS) offers a robust solution for managing encryption keys, allowing you to protect your SNS topics and ensure that only authorized entities can access the encrypted data.

Pre-requestisites:-

  • Aws account with required permissions

  • #Terraform should be installed on your system.

General step to follow: Create one folder in module name it as sns ,using the same folder create one file and name it main.tf whatever resource you want to create add those code also in this file and paste the below code into that compulsorly .This is an example reference.

#main.tf
data "aws_caller_identity" "current" {}

resource "aws_sns_topic" "this" {
  name = var.topic_name
  kms_master_key_id = aws_kms_key.this.arn  
}

resource "aws_sns_topic_policy" "this" {
  arn = aws_sns_topic.this[0].arn
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "${aws_sns_topic.this[0].arn}",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "${aws_sns_topic.this[0].arn}"
        }
      }
    }
  ]
}
EOF
}
resource "aws_kms_key" "this" {
  description             = "Example KMS key for SNS encryption"
  deletion_window_in_days = 10
  policy                  = <<EOF
{
  "Version": "2012-10-17",
  "Id": "key-default-1",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Enable SNS Encryption",
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}
#variable.tf
variable "topic_name" {
  type = string
  default = "sns-topic-rest"
}

After paste this code in the file.Go to the prod environment and also go the exact file location of the sns. Just save and open the terminal enter the first command #Terragrunt init for Initializing and after Initialization, enter the second command #Terragrunt plan when the plan executed successfully ,enter the third command #Terragrunt apply after apply configuration you can able to see in the #security hub issues it would be passed.

Source-Code Link :- github.com/MahiraTechnology/Mahira-medium.git.

Conclusion:-

Encrypting SNS topics at rest using #AWSKMS is a crucial security measure to safeguard sensitive information. By leveraging AWS KMS, you can easily manage encryption keys and enforce strong encryption for your SNS topics, mitigating the risk of unauthorized access or data breaches. This ensures that your messages remain confidential and protected, maintaining the integrity of your communication channels. With the ability to seamlessly integrate #AWSKMS with SNS, you can confidently utilize SNS for your messaging needs, knowing that your data is encrypted and secure.