Amazon Simple Notification Service (SNS) is a managed messaging service that supports server-side encryption (SSE) to protect messages stored at rest.

Why is this an issue?

Amazon SNS topics do not enable server-side encryption by default. When encryption is not configured, messages stored in SNS topics remain in plaintext, making them readable to anyone who gains unauthorized access to the underlying storage. This rule raises an issue when an SNS topic is created without a KMS master key configured.

What is the potential impact?

Sensitive data exposure

If an attacker gains unauthorized access to the underlying storage medium, they can read the contents of SNS messages in plaintext. Depending on the data carried by the messages, this may expose sensitive information such as user data, financial records, or internal communications.

How to fix it

Code examples

The following code creates an SNS topic without a KMS master key configured, leaving messages stored at rest unencrypted.

Noncompliant code example

resource "aws_sns_topic" "topic" {  # Noncompliant: encryption disabled by default
  name = "sns-example"
}

Compliant solution

resource "aws_sns_topic" "topic" {
  name = "sns-example"
  kms_master_key_id = aws_kms_key.enc_key.key_id
}

Resources

Documentation

• AWS Documentation - Encryption at rest
• Terraform Registry - Resource: aws_sns_topic

Articles & blog posts

• AWS Blog - Encrypting messages published to Amazon SNS with AWS KMS

Standards

• CWE - CWE-311 - Missing Encryption of Sensitive Data
• STIG Viewer - Application Security and Development: V-222588 - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at rest.