default SNS topic encryption for Config and Alarm topics

[php-workx]

Hey,

when running this module without settings for alarm_sns_topic_kms_master_key_id and config_sns_topic_kms_master_key_id it will result in failing the check [SNS.1] This control checks whether an Amazon SNS topic is encrypted at rest using AWS KMS for both SNS topics (Config and Alarm).

One can get the check pass with a configuration like this:

  alarm_sns_topic_kms_master_key_id  = "alias/aws/sns"
  config_sns_topic_kms_master_key_id = "alias/aws/sns"

Would it make sense to use the AWS managed KMS key alias/aws/sns as a default instead of no encryption at all?
eg here:

terraform-aws-secure-baseline/modules/alarm-baseline/variables.tf

Line 97 in 4fcada9

default = null

In a fresh AWS account there are no AWS managed KMS keys at all so I'm not entirely sure if it would work for the very first SNS topic created. We can certainly figure that out if you think this would be a reasonable default setting.

Thanks so much!

[nozaq]

@php-workx Thank you for your suggestion! The goal is to create one multi-region CMK for encrypting SNS topics across all regions, but it requires the AWS provider to suppor multi-region key resource (upstream ticket already exists, but seems it's taking time).

In the mean time, using the AWS managed key by default would totally make sense for me 👍🏼

refs: #218

[tomi-bigpi]

Heads up on this change: AWS Chatbot will fail to send alerts if the SNS topic is encrypted.

If you have server-side encryption turned on for your Amazon SNS topics, they will not appear in your chat rooms. You can resolve this by turning off server-side encryption for your Amazon SNS topics.

Reference: https://docs.aws.amazon.com/chatbot/latest/adminguide/chatbot-troubleshooting.html

[nozaq]

@tomi-bigpi Thanks for the information, noted📝 There should be the way to opt-out the topic encryption even if we set a default encryption key.