Policy: AWS > Turbot > Event Handlers > SNS > Topic > Customer Managed Key

A Customer Managed KMS key used for server side encryption of the SNS topic used created for the AWS Event Handlers.

If no key is specified, server side encryption will not be enabled.

If the specified key does not exist in AWS or is improperly specified in the policy, the SNS topic will silently stop working and halt event handling for the region. Resolve by picking an existing key or removing this policy.

Note that the key will not be created in this stack - it must already exist. The key policy must grant the kms:GenerateDataKey* and kms:Decrypt permissions to Amazon CloudWatch Events (events.amazonaws.com). The Guardrails user must also have permissions to decrypt messages with this CMK.

See https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html

Targets

This policy targets the following resource types:

AWS > Region

Primary Policy

This policy is used with the following primary policy:

AWS > Turbot > Event Handlers > SNS > Topic

Policy Specification

Schema Type	`string`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/turbot#/control/categories/configured

Policy Type URI

tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicCustomerManagedKey

GraphQL

query policyType(id: "tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicCustomerManagedKey") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicCustomerManagedKey'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicCustomerManagedKey'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicCustomerManagedKey"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws#/policy/types/eventHandlersSnsTopicCustomerManagedKey"