nozaq / terraform-aws-secure-baseline

Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices.
MIT License
1.14k stars 373 forks source link

default SNS topic encryption for Config and Alarm topics #229

Open php-workx opened 3 years ago

php-workx commented 3 years ago

Hey,

when running this module without settings for alarm_sns_topic_kms_master_key_id and config_sns_topic_kms_master_key_id it will result in failing the check [SNS.1] This control checks whether an Amazon SNS topic is encrypted at rest using AWS KMS for both SNS topics (Config and Alarm).

One can get the check pass with a configuration like this:

  alarm_sns_topic_kms_master_key_id  = "alias/aws/sns"
  config_sns_topic_kms_master_key_id = "alias/aws/sns"

Would it make sense to use the AWS managed KMS key alias/aws/sns as a default instead of no encryption at all? eg here: https://github.com/nozaq/terraform-aws-secure-baseline/blob/4fcada952edd3650690c4928dc7f141899df4760/modules/alarm-baseline/variables.tf#L97

In a fresh AWS account there are no AWS managed KMS keys at all so I'm not entirely sure if it would work for the very first SNS topic created. We can certainly figure that out if you think this would be a reasonable default setting.

Thanks so much!

nozaq commented 3 years ago

@php-workx Thank you for your suggestion! The goal is to create one multi-region CMK for encrypting SNS topics across all regions, but it requires the AWS provider to suppor multi-region key resource (upstream ticket already exists, but seems it's taking time).

In the mean time, using the AWS managed key by default would totally make sense for me 👍🏼

refs: #218

tomi-bigpi commented 3 years ago

Heads up on this change: AWS Chatbot will fail to send alerts if the SNS topic is encrypted.

If you have server-side encryption turned on for your Amazon SNS topics, they will not appear in your chat rooms. You can resolve this by turning off server-side encryption for your Amazon SNS topics.

Reference: https://docs.aws.amazon.com/chatbot/latest/adminguide/chatbot-troubleshooting.html

nozaq commented 3 years ago

@tomi-bigpi Thanks for the information, noted📝 There should be the way to opt-out the topic encryption even if we set a default encryption key.