Amazon SNS recently announced the public preview of message data protection. Identifying PII data and other sensitive information in flight, the new SNS feature leverages pattern matching, machine learning models, and data protection policies to simplify data protection and compliance in applications that exchange high volumes of data.
One of the first managed services on AWS, SNS uses the publish/subscribe model for delivery of messages, supporting both standard and FIFO topics. For standard topics only, owners can now enable message data protection to scan messages in real-time for sensitive data and provide detailed audit reports or block the message delivery. Otavio Ferreira, senior software development manager at AWS, and his team explain:
With message data protection for SNS, you can scan messages in real time for PII/PHI data and receive audit reports containing scan results. You can also prevent applications from receiving sensitive data by blocking inbound messages to an SNS topic or outbound messages to an SNS subscription. Message data protection for SNS supports a repository of over 25 unique PII/PHI data identifiers. These include people’s names, addresses, social security numbers, credit card numbers, and prescription drug codes These capabilities can help you adhere to a variety of compliance regulations, including HIPAA, FedRAMP, GDPR, and PCI.
Source: https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-policies.html
Customers can define an audit policy to determine whether any of the systems are inadvertently sending or receiving sensitive data or use a block policy to prevent the delivery. Other supported data identifiers include credentials, such as AWS secret access keys, and device identifiers, such as IP address and MAC address. David Boyne, senior developer advocate at AWS, tweets:
This is pretty neat. Using policies to detect PII information and audit or block messages in flight is awesome. Great for EDA applications as you scale them in orgs, it's so easy to add PII information into messages/events, be interesting to see this being used
Discussing possible use cases, Ferreira and his team write:
Consider an application that processes a variety of transactions for a set of health clinics, an organization that operates in a regulated environment. Compliance frameworks require that the organization take measures to protect both sensitive health records and financial information.
The new CloudWatch metrics MessageWithFindings and MessageWithNoFindings track how frequently PII/PHI data is published to an SNS topic and the amount of sensitive data published to a topic.
Source: https://aws.amazon.com/about-aws/whats-new/2022/09/amazon-sns-preview-message-data-protection-sensitive-data-in-motion/
Amazon SNS message data protection is currently available in a subset of AWS regions. The pricing of the new feature is based on the amount of payload data scanned, with a minimum of 1KB of message scanning, and the amount of audit report data generated: with prices depending on the region, message scanning starts at 0.08 USD per GB and audit reporting starts at 0.19 USD per GB.
During the preview, message data protection does not support the PublishBatch API for inbound messages.