Enforce Encryption on SNS creation by SCP

Question

I would like to create an SCP to enforce encryption on SNS creation. I am creating the below policy but it failed.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Deny",
			"Action": [
				"sns:CreateTopic"
			],
			"Resource": "*",
			"Condition": {
				"StringNotEquals": {
					"KmsMasterKeyId": "alias/aws/sns"
				}
			}	
		}
	]
}

Answer

Unfortunately I do not believe that the SNS service supports the KmsMasterKeyId as a conditional:   
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsns.html  
As such the policy will not work as the string will always "not equal" and then fail through the Deny.

Enforce Encryption on SNS creation by SCP

相关内容