Use encryption as default for SNS

[silverfisk]

This is a Feature Proposal

Description

I want to suggest that all resources created is using default encryption. The SNS queue was created without encryption:

nameTemplate: $[functionName]-$[metricName]
topics:
  alarm: ${self:service}-${opt:stage}-alerts-alarm
definitions:
  iteratorAgeAlarm:
    namespace: AWS/Lambda
    metric: IteratorAge
    threshold: 60000 # 1 minute
    statistic: Maximum
    period: 60
    evaluationPeriods: 1
    comparisonOperator: GreaterThanThreshold
    treatMissingData: missing

• This would make it easier to deploy Well Architected Framework applications with Serverless.
• Since encryption would be default, a way to keep the encryption or use non-default KMS keys should also be available.
• I think enabling encryption on SNS is without interrupption, so changing default behaviour should not be a breaking change.

Additional Data

Framework Core: 1.52.1 Plugin: 3.3.0 SDK: 2.3.0

[pedrobento988]

I agree with OP. This would be a great feature and I would like to have it implemented.

Currently the workaround that I use is to append the KmsMasterKeyId on the resource created by the plugin serverless-plugin-aws-alerts, using the Serverless "resources". serverless.yml partial example:

provider:
  ...

custom:
  ...
  alerts:
    topics:
      ok:
        topic: sns-alerts-ok
        
      alarm:
        topic: sns-alerts-alarm
        
...

functions:
  ...

resources:
  - Resources:
      AwsAlertsOk: # Append the following properties to the resource created by the plugin serverless-plugin-aws-alerts
        Properties:
          KmsMasterKeyId: enter-your-cmk-id-here

      AwsAlertsAlarm: # Append the following properties to the resource created by the plugin serverless-plugin-aws-alerts
        Properties:
          KmsMasterKeyId: enter-your-cmk-id-here

I hope it helps.