SNS topic is encrypted at rest with KMS
sns_topics_kms_encryption_at_rest_enabled
Amazon SNS topics are assessed for server-side encryption with AWS KMS. Topics lacking a configured KMS key (e.g., missing kms_master_key_id) are identified as unencrypted at rest.
Risk
Without KMS-backed SSE, SNS stores message bodies unencrypted at rest, undermining confidentiality.
Privileged insiders or compromised service components could access plaintext during persistence windows, causing data exposure. You also lose KMS controls such as key policies, rotation, and detailed audit trails.
prowler aws --checks sns_topics_kms_encryption_at_rest_enabled
Recommendation
Enable server-side encryption on all SNS topics with AWS KMS; prefer customer-managed keys for control.
Apply least privilege on key use, enforce rotation, and monitor key/access logs. Minimize sensitive data in messages and use end-to-end encryption where feasible to add defense in depth.
Remediation
aws sns set-topic-attributes --topic-arn <TOPIC_ARN> --attribute-name KmsMasterKeyId --attribute-value alias/aws/sns
- Open the AWS Console and go to Amazon SNS > Topics
- Select the topic and click Edit
- Under Encryption, enable encryption and choose the AWS managed key for SNS (alias/aws/sns)
- Click Save changes
Source Code
Resource Type
AwsSnsTopic