Posted On: Feb 19, 2020

Amazon Simple Notification Service (Amazon SNS) provides server-side encryption (SSE) of topics for additional protection of sensitive data. This capability is now available in Amazon Web Services China (Beijing) Region operated by Sinnet, and Amazon Web Services China (Ningxia) Region operated by NWCD.  This feature is integrated with Amazon Key Management Service (Amazon KMS), which allows you to centrally manage keys that protect Amazon SNS topics along with keys that protect your other Amazon Web Services resources.

When you publish messages to encrypted topics, Amazon SNS immediately encrypts your messages. The encryption takes place on the server, using a 256-bit AES-GCM algorithm and a customer master key (CMK) issued by Amazon KMS. Amazon SNS encrypted topics work with both customer-managed CMKs and Amazon Web Services-managed CMKs. The messages are stored in encrypted form, in multiple availability zones (AZs), and decrypted only as they are delivered to subscribing endpoints, such as Amazon Simple Queue Service (Amazon SQS) queues, Amazon Lambda functions, and HTTP/S webhooks.

Amazon SNS encrypted topics are available now in all Amazon Web Services Regions where Amazon KMS is available. There are no additional Amazon SNS charges for using encrypted topics, you are only charged for Amazon KMS requests. For pricing details, visit Amazon KMS pricing.

For more information:
• Visit the Amazon SNS developer guide, Protecting Amazon SNS data using Server-Side Encryption (SSE) topics.
• Run the tutorial, Enabling Server-Side Encryption (SSE) for an Amazon SNS topic.