Terraform Server Side Encryption Disabled Sns

Description

Detects when an AWS SNS (Simple Notification Service) topic is configured without server-side encryption enabled. Server-side encryption at rest using AWS KMS helps protect sensitive data in SNS messages, and having it disabled could expose sensitive information.

Weakness:

165 - Insecure service configuration - AWS

Category: Functionality Abuse

Detection Strategy

• Check Terraform configurations for 'aws_sns_topic' resource declarations

• Verify if server-side encryption settings are missing or explicitly disabled in the topic configuration

• Report a vulnerability if the SNS topic does not have encryption enabled

Vulnerable code example

resource "aws_sns_topic" "vulnerable_topic" {
  name = "unsecure-topic"  # Vulnerable: SNS topic created without encryption configuration
}

✅ Secure code example

resource "aws_sns_topic" "secure_topic" {
  name              = "secure-topic"
  kms_master_key_id = "arn:aws:kms:region:account-id:key/key-id"  # Enable server-side encryption with KMS key
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.