By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Enforce Encryption on SNS creation by SCP

0

I would like to create an SCP to enforce encryption on SNS creation. I am creating the below policy but it failed.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "sns:CreateTopic" ], "Resource": "*", "Condition": { "StringNotEquals": { "KmsMasterKeyId": "alias/aws/sns" } } } ] }

Topics
Application IntegrationManagement & Governance
Tags
Amazon Simple Notification Service (SNS)EncryptionService Control Policy
Language
English
AWS-User-0680838
asked 2 years ago479 views
1 Answer
0

Unfortunately I do not believe that the SNS service supports the KmsMasterKeyId as a conditional:
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsns.html
As such the policy will not work as the string will always "not equal" and then fail through the Deny.

AWS
Craig_S
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content