AWS016

Explanation

Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.

Insecure Example

The following example will fail the AWS016 check.

resource "aws_sns_topic" "my-topic" {
	# no key id specified
}

Secure Example

The following example will pass the AWS016 check.

resource "aws_sns_topic" "my-topic" {
	kms_master_key_id = "/blah"
}

Unencrypted SNS topic.

Explanation

Insecure Example

Secure Example

Related Links