Posted On: Feb 19, 2020

Amazon Simple Notification Service (Amazon SNS) provides server-side encryption (SSE) of topics for additional protection of sensitive data. This capability is now available in AWS China (Beijing) Region operated by Sinnet, and AWS China (Ningxia) Region operated by NWCD.  This feature is integrated with AWS Key Management Service (AWS KMS), which allows you to centrally manage keys that protect Amazon SNS topics along with keys that protect your other AWS resources.

When you publish messages to encrypted topics, Amazon SNS immediately encrypts your messages. The encryption takes place on the server, using a 256-bit AES-GCM algorithm and a customer master key (CMK) issued by AWS KMS. Amazon SNS encrypted topics work with both customer-managed CMKs and AWS-managed CMKs. The messages are stored in encrypted form, in multiple availability zones (AZs), and decrypted only as they are delivered to subscribing endpoints, such as Amazon Simple Queue Service (Amazon SQS) queues, AWS Lambda functions, and HTTP/S webhooks.

Amazon SNS encrypted topics are available now in all AWS Regions where AWS KMS is available. There are no additional Amazon SNS charges for using encrypted topics, you are only charged for AWS KMS requests. For pricing details, visit AWS KMS pricing.

For more information:
• Visit the Amazon SNS developer guide, Protecting Amazon SNS data using Server-Side Encryption (SSE) topics.
• Run the tutorial, Enabling Server-Side Encryption (SSE) for an Amazon SNS topic.