> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# SNS Topics Should Be Encrypted Using KMS CMKs

### More Info:

SNS Topics should be encrypted with Customer managed keys (CMK) instead of AWS managed keys in order to have a more granular control over the SNS data-at-rest encryption and decryption process.

### Risk Level

Medium

### Address

Security

### Compliance Standards

HIPAA, HITRUST, NISTCSF, PCIDSS

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the step-by-step instructions to remediate the misconfiguration in AWS:

        1. Log in to your AWS Management Console.
        2. Navigate to the Amazon SNS console.
        3. Click on the SNS topic that you want to remediate.
        4. Click on the "Encryption" tab.
        5. Select "Enable encryption" option.
        6. Select the KMS key that you want to use to encrypt the topic.
        7. Click on "Update" to save the changes.

        After following these steps, your SNS topic will be encrypted using the KMS CMKs.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate this misconfiguration in AWS, you can follow these steps using AWS CLI:

        1. Identify the SNS topics that are not encrypted using KMS CMKs by running the following command:

        ```
        aws sns list-topics --query "Topics[?KmsMasterKeyId == null].TopicArn" --output text
        ```

        2. For each topic identified in step 1, create a new KMS CMK or use an existing one.

        3. Enable server-side encryption for the SNS topic by updating its properties with the following command:

        ```
        aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name KmsMasterKeyId --attribute-value <kms-key-id>
        ```

        Replace `<topic-arn>` with the ARN of the SNS topic and `<kms-key-id>` with the ARN of the KMS CMK created in step 2.

        4. Verify that the SNS topic is now encrypted using KMS CMKs by running the following command:

        ```
        aws sns list-topics --query "Topics[?KmsMasterKeyId != null].TopicArn" --output text
        ```

        This command should return the ARN of the SNS topic that was just updated.

        5. Repeat steps 3-4 for all the SNS topics that were identified in step 1.

        By following these steps, you can remediate the misconfiguration of SNS topics not being encrypted using KMS CMKs in AWS.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of SNS Topics not being encrypted using KMS CMKs in AWS using Python, you can follow these steps:

        1. First, you need to identify the SNS topic(s) that are not encrypted using KMS CMKs. You can use the AWS CLI or Boto3 library in Python to list all the SNS topics and their encryption status.

           ```python theme={null}
           import boto3

           # Create an SNS client
           sns = boto3.client('sns')

           # List all SNS topics
           response = sns.list_topics()

           # Check encryption status for each topic
           for topic_arn in response['Topics']:
               topic_attributes = sns.get_topic_attributes(TopicArn=topic_arn['TopicArn'])
               if 'KmsMasterKeyId' not in topic_attributes['Attributes']:
                   print(f"SNS topic {topic_arn['TopicArn']} is not encrypted using KMS CMKs")
           ```

        2. Once you have identified the SNS topic(s) that are not encrypted using KMS CMKs, you can update their encryption settings using the `set_topic_attributes()` method in Boto3.

           ```python theme={null}
           import boto3

           # Create an SNS client
           sns = boto3.client('sns')

           # Update encryption settings for a specific topic
           topic_arn = 'arn:aws:sns:us-east-1:123456789012:my-topic'
           response = sns.set_topic_attributes(
               TopicArn=topic_arn,
               AttributeName='KmsMasterKeyId',
               AttributeValue='arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-1234567890ab'
           )

           print(f"Encryption settings updated for SNS topic {topic_arn}")
           ```

           Note: Replace the `topic_arn` and `AttributeValue` with the appropriate values for your AWS account.

        3. Finally, you can verify that the SNS topic(s) are now encrypted using KMS CMKs by running the first code snippet again and checking the encryption status for each topic.

           ```python theme={null}
           import boto3

           # Create an SNS client
           sns = boto3.client('sns')

           # List all SNS topics
           response = sns.list_topics()

           # Check encryption status for each topic
           for topic_arn in response['Topics']:
               topic_attributes = sns.get_topic_attributes(TopicArn=topic_arn['TopicArn'])
               if 'KmsMasterKeyId' not in topic_attributes['Attributes']:
                   print(f"SNS topic {topic_arn['TopicArn']} is not encrypted using KMS CMKs")
               else:
                   print(f"SNS topic {topic_arn['TopicArn']} is encrypted using KMS CMKs")
           ```

           This should return a list of all SNS topics and their encryption status.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html)
