Json Yaml Server Side Encryption Disabled Sns

Description

Detects AWS SNS Topics defined in CloudFormation templates that don't have server-side encryption (SSE) enabled. SNS Topics without encryption enabled could expose sensitive message data since messages are stored in plaintext.

Weakness:

165 - Insecure service configuration - AWS

Category: Functionality Abuse

Detection Strategy

• Scan CloudFormation template files for SNS Topic resource definitions

• Check if the SNS Topic resource exists and has Type: 'AWS::SNS::Topic'

• Verify if the Topic resource has server-side encryption configuration

• Report a vulnerability if an SNS Topic is found without encryption enabled

Vulnerable code example

Resources:
  Vuln:
    Type: 'AWS::SNS::Topic'  # Vulnerable: SNS Topic defined without encryption
    Properties:
      DisplayName: 'MySNSTopicDisplayName'  # Messages will be stored unencrypted

✅ Secure code example

Resources:
  Vuln:
    Type: 'AWS::SNS::Topic'
    Properties:
      DisplayName: 'MySNSTopicDisplayName'
      KmsMasterKeyId: !Ref 'TopicKMSKey'  # Added encryption using KMS key for message protection

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.