Information disclosure due to disabled SSE on SNS topic in AWS

Medium Risk information-disclosure
awssnsencryptionkmsmessage-queuedata-protectionserver-side-encryption

What it is

Amazon SNS topics without server-side encryption (SSE) store message contents and metadata in plaintext at rest, exposing sensitive information to potential unauthorized access if AWS storage systems are compromised or improperly accessed. Without KMS encryption, SNS messages lack fine-grained access controls, audit trails, and key rotation capabilities, increasing the risk of data exposure in distributed messaging systems.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

AWS SNS topics provisioned in Terraform without kms_master_key_id parameter in the aws_sns_topic resource configuration. Topics created without explicit KMS key assignment default to storing message payloads and metadata in plaintext at rest on AWS infrastructure, exposing notification content to unauthorized access if AWS storage systems are compromised or accessed by rogue administrators.

Root causes

SNS Topic Created Without KMS Configuration

AWS SNS topics provisioned in Terraform without kms_master_key_id parameter in the aws_sns_topic resource configuration. Topics created without explicit KMS key assignment default to storing message payloads and metadata in plaintext at rest on AWS infrastructure, exposing notification content to unauthorized access if AWS storage systems are compromised or accessed by rogue administrators.

Missing KmsMasterKeyId in CloudFormation Templates

CloudFormation AWS::SNS::Topic resources deployed without the KmsMasterKeyId property specified. Infrastructure-as-code templates that omit encryption configuration create topics vulnerable across all stack deployments, and this unencrypted state persists through stack updates unless explicitly corrected, affecting all environments where the template is used.

Default SNS Configuration Without Encryption

Relying on AWS SNS default configuration that does not enable server-side encryption unless explicitly requested. When topics are created through console, CLI, or SDK without specifying encryption parameters, AWS defaults to unencrypted storage, leaving message data vulnerable throughout its retention period in SNS storage systems.

Missing Encryption Requirements in Infrastructure Policies

Organizational infrastructure and compliance policies lack specific requirements mandating encryption-at-rest for messaging services. Without explicit standards requiring KMS-encrypted SNS topics, development teams may deploy unencrypted notification infrastructure that violates data protection regulations (GDPR, HIPAA, PCI DSS) and exposes sensitive event data.

Insufficient KMS Key Permissions for SNS Service

KMS key policies missing required permissions for SNS service principal (sns.amazonaws.com) to perform encryption operations. Even when attempting to configure encryption, deployment fails or falls back to unencrypted topics if the KMS key policy doesn't grant GenerateDataKey, Encrypt, Decrypt, and DescribeKey permissions to the SNS service, leaving topics unprotected.

Lack of Data Classification and Encryption Standards

Absence of data classification frameworks that identify which message types require encryption protection. Organizations without formal data sensitivity classification and corresponding encryption requirements may inadvertently transmit PII, PHI, financial data, or authentication tokens through unencrypted SNS topics, creating compliance violations and data exposure risks.

Fixes

1

Enable SNS Server-Side Encryption with KMS

Configure kms_master_key_id parameter in Terraform aws_sns_topic resource or KmsMasterKeyId property in CloudFormation AWS::SNS::Topic to specify a KMS key ARN for message encryption. This protects message contents and metadata from unauthorized access at rest, prevents data exposure if AWS storage is compromised, and enables fine-grained access control through KMS key policies that determine which services and principals can encrypt/decrypt messages.

2

Use Customer-Managed KMS Keys

Create and reference customer-managed KMS keys (CMK) instead of using AWS-managed default keys for SNS encryption. Customer-managed keys provide full control over key policies that define who can use the key, enable custom key rotation schedules (automatic annual rotation or manual as needed), generate CloudTrail audit logs for all encryption operations, support key deletion with configurable waiting periods, and allow cross-account access scenarios for multi-account architectures.

3

Configure Comprehensive KMS Key Policies

Define KMS key policies granting necessary permissions to SNS service principal (sns.amazonaws.com) for GenerateDataKey, Encrypt, Decrypt, DescribeKey, and ReEncrypt operations. Include permissions for consuming services like Lambda, SQS, or application IAM roles that need to decrypt messages. Implement condition keys to restrict key usage based on aws:SourceArn, aws:SecureTransport, or aws:PrincipalOrgId to enforce least privilege access while ensuring secure SNS encryption functionality.

4

Implement Restrictive Topic Access Policies

Configure aws_sns_topic_policy resource (Terraform) or AWS::SNS::TopicPolicy (CloudFormation) to restrict publish/subscribe actions based on IAM principals, source IP addresses (aws:SourceIp), and secure transport requirements (aws:SecureTransport='true'). Combine encryption with access policies to create defense-in-depth: encryption protects data at rest while topic policies control who can send/receive messages, preventing unauthorized access even if credentials are compromised.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure due to disabled sse on sns topic in aws and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities