AWS SNS Topic SSE

We’re using SqsTransport. My company requires Server Side Encryption for SQS and SNS. SQS Queues are presently managed by DevOps and SSE is enabled. I am starting to use Sagas and I want NSB to create the topics with SSE enabled. Chat GPT suggests there is a “topic factory” that can be plugged in but the code given looks like a hallucination.

What’s the most direct, simple way to continue to allow NSB to create topics, but with SSE enabled?

@dastultz Thank you for reaching out.

For NServiceBus with SQS Transport, the guidance on required permissions and setup is here:

:link: NServiceBus SQS Transport Prerequisites

For more details on enabling server-side encryption for topics, see:

:link: AWS SNS SSE Documentation

For anyone finding this later, the documentation linked above does not describe how to configure NServiceBus to tell AWS to turn on SSE (for either SQS or SNS).

I ended up writing a background service that adds the necessary attributes to topics after the app starts up (and NServiceBus is done creating topics). This was the simplest way to do it without replacing large parts of the transport.

Chat GPT’s suggestion of a topic (and queue) factory would be nice. There’s already a name generator, an attribute generator would make this quite elegant.

@dastultz,

I raised an improvement issue to track the feature request.

Regards,
.m

1 Like

@dastultz,

I do have a question for you. I was looking into SSE and noticed that SQS supports two types of encryption:

  • SQS managed (for free)
  • KMS managed (with the additional KMS cost)

My understanding is that SNS only supports KMS encryption.

Is that correct?

If that’s the case, I assume that:

  • A managed encryption SQS queue cannot subscribe to a message published to a KMS SNS topic, but it requires KMS there as well
  • Does the above make managed encryption for SQS a non-starter, considering that it would be helpful only if the system never uses SNS?

Thanks, regards
.m

Hi, I do not know if SNS supports only KMS encryption.
My understanding of SSE is that it refers to “encryption at rest”, the durable storage of the messages somewhere. Once in transit, a different encryption method is used such as HTTPS. So I would think a message stored durably in SNS with encryption method A would be decrypted and sent over a common encrypted channel to SQS. SQS may then write the message to durable storage with encryption method B.

1 Like