Amazon Simple Notification Service (Amazon SNS) is a messaging Platform as a Service (PaaS) that is frequently used as part of cloud-native, loosely-coupled application architectures (e.g. microservices, distributed systems, etc.). Turbot itself uses SNS in conjunction with CloudWatch events and SQS as a highly reliable and subscribable message queue. If your SNS topics are processing sensitive data, it makes sense to encrypt them in transit and at rest.

This week we will look at how Turbot can automate checking and enforcement of encryption at rest for your Amazon SNS topics.

Traditional Workflow

In a cloud native architecture, SNS topics are often created programmatically (i.e. a software factory that creates new lambda functions, might also create a new SNS topic to enable pub/sub messaging for the function. This means that your large scale applications may have hundreds or thousands of topics under management.

Furthermore, limitations in the past with cross service KMS key access prevented some applications from using encryption with SNS. If your applications were built a few years ago, those applications may not have updated their architecture and could still be generating new topics without encryption. Manually looking for them and remediating the issues is a tedious and time consuming task.

Get it done with Turbot

In Turbot, Amazon SNS Topics guardrails are readily available to control your cloud resource configurations. We can set the Turbot automation `AWS > SNS > Topic> Encryption at Rest` policy in just a few clicks:

Setting the configuration via Turbot’s Terraform provider is just as easy:

After setting these policies, Turbot will identify all SNS Topics without a configured AWS KMS managed key, and then handle remediation (i.e. set the correct encryption configuration).

If you are not yet ready to enforce remediation, you can still assess your environment’s SNS encryption compliance by setting the value of the policy to ‘Check: AWS managed key or higher’ at the Turbot level. In ‘Check’ mode Turbot will alarm on Amazon SNS Topics that do not have encryption at rest in place. After review of the alarms, selectively apply the enforcement settings or create exceptions as desired. 

Given that encryption may not be applicable for all topics, make use of Turbot’s policy exceptions and time-based expiration settings features to mark exceptions to the rule or automatically reset a configuration when the exception expires.

Make it happen

See for yourself how easy it is to manage your encryption configurations across your cloud resources. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance please reach out to Turbot Support, and keep an eye on your inbox for another Turbot tip next week!

Cheers,

Bob