SNS Topic Encrypted With AWS Managed Key

  • Query id: b1a72f66-2236-4f3b-87ba-0da1b366956f
  • Query name: SNS Topic Encrypted With AWS Managed Key
  • Platform: Terraform
  • Severity: Medium
  • Category: Encryption
  • CWE: 326
  • URL: Github

Description

SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_sns_topic" "user_updates" {
  name              = "user-updates-topic"
  kms_master_key_id = "alias/aws/sns"
}
Positive test num. 2 - tf file
provider "aws" {
  region = "us-east-1"
}

data "aws_kms_key" "by_alias" {
  key_id = "alias/aws/sns"
}

resource "aws_sns_topic" "test" {
  name              = "sns_ecnrypted"
  kms_master_key_id = data.aws_kms_key.by_alias.arn
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
provider "aws2" {
  region = "us-east-1"
}

resource "aws_sns_topic" "test2" {
  name              = "sns_ecnrypted"
  kms_master_key_id = "alias/MyAlias"
}