AWS SNS Data Protection Preview

Amazon SNS has announced the public preview of message data protection. Identifying PII data and other sensitive information in transit, the new SNS feature uses pattern matching, machine learning models, and data protection policies to simplify data protection and compliance in applications that exchange high volumes of data.

A kind of first AWS managed service, SNS uses the publish/subscribe model for delivery of messages, supporting both standard and FIFO topics. For standard topics only, owners can now enable message data protection to scan messages in real-time for sensitive data and provide detailed audit reports or block the message delivery.

Audit policy can be defined by the customers to determine whether any of the systems are inadvertently sending or receiving sensitive data or use a block policy to prevent the delivery. Others applicable data identifiers include credentials, such as AWS secret access keys, and device identifiers, such as IP address and MAC address

The CloudWatch metrics  MessageWithFindings and MessageWithNoFindings track how frequently PII/PHI data is published to an SNS topic and the amount of sensitive data published to a topic.

This feature currently available in a subset of AWS regions. The pricing of the new feature is based on the amount of payload data scanned, with a minimum of 1KB of message scanning, and the amount of audit report data generated: with prices depending on the region, message scanning starts at 0.08 USD per GB and audit reporting starts at 0.19 USD per GB.