Fix CRLY.01086: Encrypt SNS Topic Data

[curly-review]

Issue Details

ID: CRLY.01086
Severity: HIGH
File: sam/cfn/cfn-sns-topics.yaml

---

Remediation Summary

Description

The security finding indicates that the data stored in the SNS topic snsTalrClaRequest is not encrypted. To ensure data security, it's crucial to encrypt all SNS topic data at rest.

Steps

1. Create an AWS KMS Key: If you don't already have a KMS key, create one using the AWS SDK. Here's an example in Python using Boto3:

   import boto3
   
   # Create a KMS client
   kms = boto3.client('kms')
   
   # Create a KMS key
   response = kms.create_key()
   
   # Extract the key ID
   key_id = response['KeyMetadata']['KeyId']
   print(f"Created KMS key with ID: {key_id}")

2. Update the SNS Topic to Use the KMS Key: Modify the SNS topic configuration to use the KMS key for encryption. Here's an example in YAML:

   snsTalrClaRequest:
     Type: AWS::SNS::Topic
     Properties:
       DisplayName: !Join [ "-", [ "talr-cla-request", !Ref stage ] ]
       TopicName: !Join [ "-", [ "talr-cla-request", !Ref stage ] ]
       KmsMasterKeyId: !Ref YourKmsKeyArn  # Reference to the KMS key ARN

3. Deploy the Updated Template: Ensure that the updated template is deployed using your preferred Infrastructure as Code tool (e.g., AWS CloudFormation, Terraform).

Here's an example of how to update the SNS topic using the AWS SDK in Python:

import boto3

# Create an SNS client
sns = boto3.client('sns')

# Update the SNS topic with the KMS key
response = sns.set_topic_attributes(
    TopicArn='arn:aws:sns:region:account-id:snsTalrClaRequest',
    AttributeName='KmsMasterKeyId',
    AttributeValue='arn:aws:kms:region:account-id:key/key-id'
)

print(f"Updated SNS topic with KMS key: {response}")

Replace region, account-id, and key-id with your actual AWS region, account ID, and KMS key ID.