Encrypt AWS Control Tower notifications with customer-managed keys

AWS Control Tower is a service that simplifies the setup and governance of a secure, multi-account AWS environment. As part of its security features, AWS Control Tower creates an Amazon Simple Notification Service (Amazon SNS) topic named aws-controltower-SecurityNotifications in each enrolled AWS account to handle security-related notifications. These notification topics are encrypted by default using disk encryption . However, organizations with stringent security requirements may need to optimize encryption using AWS KMS (Key Management Service)  Customer managed key to leverage their own keys.

The challenges

Organizations face several critical challenges when implementing encryption for Amazon SNS topics across their AWS environment. A primary technical constraint is that AWS Control Tower must be fully operational with version 3.3 or later, specifically requiring the AWS KMS (Key Management Service)  Customer managed key. This intersects with stringent compliance demands from regulated industries that must adhere to frameworks like GDPR, HIPAA, and PCI DSS, which mandate direct control over cryptographic keys. The operational landscape becomes increasingly complex when dealing with manual encryption configurations across multiple accounts, while maintaining consistency across different Regions and accounts poses significant administrative overhead. From a security governance perspective, organizations struggle to implement uniform encryption standards for Amazon SNS topics, manage key access across organizational units effectively, and maintain centralized control over encryption settings—all of which are essential for maintaining a robust security posture.

The solution

This solution provides an automated approach to implementing AWS KMS (Key Management Service)  Customer managed key encryption for Amazon SNS topics that are created and managed by AWS Control Tower. It deploys an AWS CloudFormation stack in the AWS Control Tower management account, which creates a custom AWS Lambda function as a resource. This Lambda function assumes the AWSControlTowerExecution role to update the SNS topics with a provided custom KMS key in the AWS management account.

Prerequisites

1. AWS Control tower setup

• AWS Control Tower must be fully set up and operational with version 3.3 or later.

2. AWS Key Management Service

• Customer-managed keys must be pre-created in all target Regions in all relevant accounts

3. Required permissions

• Users must have the following sufficient permissions to deploy a CloudFormation stack. Please refer to the guide on sample policies for more information:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResources",
                "cloudformation:GetTemplateSummary",
                "cloudformation:ListStacks",
                "cloudformation:UpdateStack",
                "cloudformation:DeleteStack",
                "cloudformation:ValidateTemplate"
            ],
            "Resource": "*"
        }
    ]
}

• Customer-managed keys must have the following policy to grant access to the AWSControlTowerExecution role, allow the Amazon EventBridge service to use the key and allow the Amazon SNS service to decrypt messages in all the member accounts.

{
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::customer-MemberAccount-id:role/AWSControlTowerExecution"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:DescribeKey",
                "kms:ListGrants",
                "kms:RevokeGrant",
                "kms:ListAliases",
                "kms:ListKeys",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "arn:aws:kms:your_region:customer-MemberAccount-id:key/KMS_KEY_ID"
        },
        {
            "Sid": "Allow EventBridge to use KMS key",
            "Effect": "Allow",
            "Principal": {
                "Service": "events.amazonaws.com"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow SNS to decrypt archived messages",
            "Effect": "Allow",
            "Principal": {
                "Service": "sns.amazonaws.com"
            },
            "Action": "kms:Decrypt",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "customer-MemberAccount-id"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:*:sns:your_region:customer-MemberAccount-id:*"
                }
            }
        }
    ]
}

4. Account requirements :

• AWS Control Tower must be fully set up and operational with version 3.3 or later.
• Member accounts must be included in the `AWSControlTowerBP-BASELINE-CONFIG` StackSet. Refer Enroll an existing AWS account.

Deployment instructions

1. Log in to the AWS management account and switch to your AWS Control Tower home AWS Region.
2. Download the CloudFormation template from the sample-aws-controltower-sns-okay done -encryption repository and Launch CloudFormation stacks.
3. Choose Next
4. Fill in the parameter: KMSKeyId: Comma-separated list of Customer-Managed Key ARNs for SNS topic encryption

Note:

• Each ARN must be in the format: arn:aws:kms:region:account-id:key/key-id and it must be pre-created in all target Regions in all relevant accounts.
• Due to CloudFormation parameter value constraints, each stack can accommodate approximately 38 KMS Key IDs. For environments requiring more than 38 KMS keys, additional stacks can be deployed to support the extra keys.

Choose Next.

5. Check the box for I acknowledge that AWS CloudFormation might create IAM resources and choose Create stack.

6. Wait until the Stack status changes to CREATE_COMPLETE

The solution will run once after the stack status is create complete. You should see an invocation for the <StackName>-SNSKMSUpdateFunction Lambda function and several invocations

Verification

1. Log in to each relevant AWS member account
2. Navigate to the Amazon SNS console
3. Locate and select the topic named aws-controltower-SecurityNotifications
4. Select the “Encryption” tab
5. Verify that:
   • Server-side encryption is enabled
   • The KMS key ARN matches the Customer Managed Key (CMK) ARN that was provided in your CloudFormation stack

Cleanup

To clean up this solution, you can delete the CloudFormation stack you created in the deployment steps section above. Until the cleanup, the resources monitored would be limited to what you had specified as part of the deployment steps.

Conclusion

In this post, you learned how to encrypt Amazon SNS topics with KMS Customer Managed Key, enhancing security and meeting compliance requirements. This not only improves the security posture but also significantly reduces operational overhead, allowing organizations to maintain control over their encryption keys.

To gain hands-on experience with AWS Control Tower, refer Control Tower workshop.