Platform: AWS
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | Amazon SNS does not use API keys in the traditional sense. Access is managed through IAM. | |
| Authentication & Authorization | IAM Integration | True | Amazon SNS integrates fully with AWS Identity and Access Management (IAM), allowing granular control over access to SNS resources through policies and roles. | |
| Authentication & Authorization | MFA | True | Multi-Factor Authentication (MFA) is available for IAM users who access SNS. SNS itself doesn't directly support MFA. | Applies to IAM users, not the service itself |
| Authentication & Authorization | Service Account Support | True | AWS IAM roles, which act as service accounts, are used for programmatic access to SNS, allowing for least privilege access control. | |
| Authentication & Authorization | Standard Protocols | True | SNS uses various standard protocols including HTTPS for API calls. It supports various authentication mechanisms, including AWS Signature Version 4. | Specific protocols vary depending on access method |
| Compliance & Certifications | Compliance Documentation | True | AWS provides compliance reports and documentation for its services, including SNS, on the AWS website. | |
| Compliance & Certifications | Industry Certifications | True | AWS maintains various compliance certifications and attestations for its services, including SNS. Specific certifications will vary depending on the relevant industry regulations. | Specific certifications vary |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking/redaction is not a built-in feature of SNS. It would need to be implemented at the application level before messages are sent to SNS. | Requires custom implementation |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | SNS itself doesn't have built-in DLP capabilities. Integration with other AWS services like Amazon Macie might be necessary to scan for sensitive data within messages. | Requires integration with other services |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Data transfer between regions is possible, but requires explicit configuration and management. AWS services like S3 and SNS allow for cross-region replication and publishing, but these need to be explicitly enabled and their security aspects carefully considered. | Requires careful configuration |
| Data Residency & Sovereignty | Data Location Transparency | True | AWS provides clear documentation on region selection and data location. The region selected during topic creation determines the data location. AWS also offers tools and services for monitoring and verifying data location, although precise physical location may not be explicitly disclosed. | |
| Data Residency & Sovereignty | Region Selection | True | Amazon SNS allows you to select the AWS region where your topics and messages are stored. Data remains within the selected region unless explicitly moved via cross-region mechanisms. | |
| Encryption | Encryption at Rest | True | Amazon SNS supports server-side encryption using AWS KMS-managed keys (SSE-KMS) and customer-managed KMS keys (CMK). Encryption at rest is not enabled by default and needs to be explicitly configured. | Requires configuration for server-side encryption |
| Encryption | Encryption in Transit | True | Amazon SNS uses TLS/SSL for secure communication between clients and the service. The specific TLS version is managed by AWS and generally adheres to industry best practices. | |
| Logging & Monitoring | Access Logging | True | Access logs are not automatically generated but can be enabled using CloudWatch Logs and appropriate configuration. | Requires configuration of CloudWatch Logs |
| Logging & Monitoring | Audit Logging | True | AWS CloudTrail logs API calls made to SNS. These logs can be used for auditing and security analysis. | |
| Logging & Monitoring | Log Retention | True | CloudWatch Logs allows for configuring custom retention policies for SNS logs. | |
| Logging & Monitoring | Monitoring & Alerting | True | Amazon CloudWatch can be used to monitor SNS metrics and set up alerts for various events. | |
| Network Security | API Gateway Integration | True | Amazon API Gateway can be used to manage and secure access to SNS, offering features such as throttling, request validation, and authentication. | Requires configuration |
| Network Security | DDoS Protection | True | Amazon SNS benefits from the inherent DDoS protection provided by the AWS infrastructure and AWS Shield. | |
| Network Security | Firewall Rules | True | While SNS itself doesn't have its own firewall rules, access can be controlled through VPC security groups and Network ACLs, which govern traffic to the VPC where SNS resources reside. | Indirectly, via VPC security groups and Network ACLs |
| Network Security | Private Access | True | SNS can be accessed privately within a VPC using various methods, allowing secure communication without exposing the service to the public internet. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | AWS follows industry best practices for secure API design, although the specifics are not publicly documented in detail for each service. | Indirectly, via AWS security practices |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | AWS employs secure coding practices and security testing throughout its development lifecycle. However, specifics about the process for SNS are not publicly available. | Indirectly, via AWS security practices |
| Vulnerability Management & Patching | Security Updates | True | AWS is responsible for patching and updating the underlying SNS infrastructure. Regular security updates are part of AWS's operational responsibilities. | |
| Vulnerability Management & Patching | Vulnerability Scanning | True | AWS performs regular security assessments and penetration testing of its services, including SNS. Specific details about the frequency and scope are generally not publicly disclosed. | Indirectly via AWS security practices |