Does ProsperOps enable SNS topic encryption?

Note: This article only applies to customers running in our real-time mode where ProsperOps uses EventBridge and SNS.

 

ProsperOps leverages Amazon EventBridge and Amazon SNS to get real-time updates of state changes in your AWS environment. By default, SNS topics created by ProsperOps are not encrypted. 

If you have a requirement that SNS topics be encrypted, you may enable encryption as a follow on step after the ProsperOps platform automation has deployed the topic, following the steps below.

 

Warning: AWS provides an AWS managed KMS key for SNS, however, this key does not allow decryption or data key generation by any service other than SNS. Because the ProsperOps platform leverages EventBridge in conjunction with SNS, topic encryption must use a customer managed KMS key.

 

  1. Wait for ProsperOps automation to create the SNS topic (the ProsperOps platform must do this step). Topics will be created in each enabled account-region of the AWS organization. All SNS topics created will have the same name: ProsperOps-EC2-Instance-State-Changes
  2. Create a customer managed KMS key. The detailed configuration of the key is outside the scope of this article, however, the key must include permissions for EventBridge to encrypt and decrypt SNS topic data using the key. To do that, include the following JSON snippet as part of the key policy:
    {
      "Sid": "Allow EventBridge to use the key",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
    },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
      ],
      "Resource": "*"
    }
  3. For each ProsperOps-EC2-Instance-State-Changes SNS topic, enable encryption specifying the customer managed key created in step 2.

 

For further information, please refer to the Data Encryption section of the AWS SNS Developer Guide