# Understanding Amazon SNS data protection policies
**Important**
Amazon SNS message data protection will no longer be available to new customers starting April 30, 2026. For more information and guidance on alternatives, see [Amazon SNS message data protection availability change](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html).
## What are data protection policies?
Amazon SNS uses **data protection policies** to select the sensitive data for which you want to scan, and the actions that you want to take to protect that data from being exchanged by your Amazon SNS topics. To select the sensitive data of interest, you use [data identifiers](sns-message-data-protection-managed-data-identifiers.md). Amazon SNS message data protection then detects the sensitive data by using machine learning and pattern matching. To act upon data identifiers that are found, you can define an **audit**, **de-identify**, or **deny** operation. These operations let you log the sensitive data that is found (or not found), mask or redact sensitive data, or deny message delivery.
![\[Amazon SNS utilizes data protection policies to manage and secure sensitive data across different AWS services. It shows the workflow for both inbound and outbound messages, detailing how data is monitored and actions are taken based on policy settings like auditing, de-identifying, or denying data transmission to safeguard information such as personally identifiable information (PII) and protected health information (PHI).\]](http://docs.aws.amazon.com/sns/latest/dg/images/message-data-protection-policies-overview.png)
## How is the data protection policy structured?
As illustrated in the following figure, a data protection policy document includes the following elements:
+ Optional policy-wide information at the top of the document
+ One or more individual statements
Each statement includes information about a single permission.
![\[The structure of a data protection policy in Amazon SNS, illustrating how the policy is composed of various elements like the policy name, description, version, and multiple statements that specify actions like auditing, de-identifying, or denying based on data direction, identifiers, and involved principals.\]](http://docs.aws.amazon.com/sns/latest/dg/images/payload-policy-process.png)
Only one data protection policy can be defined per Amazon SNS topic. The data protection policy can have one or more deny or de-identify statements, but only one audit statement.
### JSON properties for the data protection policy
A data protection policy requires the following basic policy information for identification:
+ **Name** – The policy name.
+ **Description** (Optional) – The policy description.
+ **Version** – The policy language version. The current version is 2021-06-01.
+ **Statement** – A list of statements that specifies data protection policy actions.
```
{
"Name": "basicPII-protection",
"Description": "Protect basic types of sensitive data",
"Version": "2021-06-01",
"Statement": [
...
]
}
```
### JSON properties for a policy statement
A policy statement sets the detection context for the data protection operation.
+ **Sid** (Optional) – The statement identifier.
+ **DataDirection** – Inbound (for Publish API requests) or Outbound (for notification deliveries) with respect to the Amazon SNS topic.
+ **DataIdentifier** – The sensitive data for which the Amazon SNS topic should scan. For example, name, address, or phone number.
+ **Principal** – The IAM principal that is published to the topic, or the IAM principal that is subscribed to the topic.
+ **Operation** – The follow-on action, either **Audit**, **De-identify** (mask or redact), or **Deny** (block), which the Amazon SNS topic executes once it finds sensitive data.
```
{
"Sid": "basicPII-inbound-protection",
"DataDirection": "Inbound",
"Principal": ["*"],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/Name",
"arn:aws:dataprotection::aws:data-identifier/PhoneNumber-US"
],
"Operation": {
...
}
}
```
### JSON properties for a policy statement operation
A policy statement sets one of the following data protection operations.
+ [**Audit**](sns-message-data-protection-operations.md#statement-operation-json-properties-audit) – Emits metrics and finding logs without interrupting message publishing or delivery.
+ [**De-identify**](sns-message-data-protection-operations.md#statement-operation-json-properties-deidentify) – Mask or redact sensitive data without interrupting message publishing.
+ [**Deny**](sns-message-data-protection-operations.md#statement-operation-json-properties-deny) – Blocks the Amazon SNS publish request or fails the message delivery.
## How do I determine the IAM principals for my data protection policy?
Message data protection uses two IAM principals that interact with Amazon SNS.
1. **Publish API Principal** (Inbound) – The authenticated IAM principal calling the Amazon SNS `Publish` API.
1. **Subscription Principal** (Outbound) – The authenticated IAM principal that called the `Subscribe` API during subscription creation.
The `SubscriptionPrincipal` is a publicly available Amazon SNS subscription property that can be retrieved from the `GetSubscriptionAttributes` API.
```
{
"Attributes": {
"SubscriptionPrincipal": "arn:aws:iam::123456789012:user/NoNameAccess",
"Owner": "123412341234",
"RawMessageDelivery": "true",
"TopicArn": "arn:aws:sns:us-east-1:123412341234:PII-data-topic",
"Endpoint": "arn:aws:sqs:us-east-1:123456789012:NoNameAccess",
"Protocol": "sqs",
"PendingConfirmation": "false",
"ConfirmationWasAuthenticated": "true",
"SubscriptionArn": "arn:aws:sns:us-east-1:123412341234:PII-data-topic:5d8634ef-67ef-49eb-a824-4042b28d6f55"
}
}
```
# Data protection policy operations in Amazon SNS
**Important**
Amazon SNS message data protection will no longer be available to new customers starting April 30, 2026. For more information and guidance on alternatives, see [Amazon SNS message data protection availability change](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html).
The following are examples of data protection policies that you can use to audit and deny sensitive data. For a complete tutorial that includes an example application, see the [Introducing message data protection for Amazon SNS](https://aws.amazon.com/blogs/compute/introducing-message-data-protection-for-amazon-sns/) blog post.
## Audit operation
The **Audit** operation samples topic inbound messages, and logs the sensitive data findings in an AWS destination. The sample rate can be an integer between 0–99. This operation requires one of the following types of logging destinations:
1. **FindingsDestination** – The logging destination when the Amazon SNS topic finds sensitive data in the payload.
1. **NoFindingsDestination** – The logging destination when the Amazon SNS topic doesn't find sensitive data in the payload.
You can use the following AWS services in each of the following log destination types:
+ **Amazon CloudWatch Logs** (Optional) – The `LogGroup` must be in the topic region and the name must start with **/aws/vendedlogs/**.
+ ** **(Optional) – The `DeliveryStream` must be in the topic region and have **Direct PUT** as the source of delivery stream. For additional details, see [Source, Destination, and Name](https://docs.aws.amazon.com/firehose/latest/dev/create-name.html) in the *Amazon Data Firehose Developer Guide*.
+ **Amazon S3** (Optional) – An Amazon S3 bucket name. [Extra actions are required for using Amazon S3 bucket with SSE-KMS encryption enabled](#flow-logs-s3-cmk-policy).
```
{
"Operation": {
"Audit": {
"SampleRate": "99",
"FindingsDestination": {
"CloudWatchLogs": {
"LogGroup": "/aws/vendedlogs/log-group-name"
},
"Firehose": {
"DeliveryStream": "delivery-stream-name"
},
"S3": {
"Bucket": "bucket-name"
}
},
"NoFindingsDestination": {
"CloudWatchLogs": {
"LogGroup": "/aws/vendedlogs/log-group-name"
},
"Firehose": {
"DeliveryStream": "delivery-stream-name"
},
"S3": {
"Bucket": "bucket-name"
}
}
}
}
}
```
### Required permissions when specifying log destinations
When you specify logging destinations in the data protection policy, you must add the following permissions to the IAM identity policy of the IAM principal that is calling the Amazon SNS `PutDataProtectionPolicy` API, or the `CreateTopic` API with the `--data-protection-policy` parameter.
| Audit destination | IAM permission |
| --- | --- |
| Default | logs:CreateLogDelivery logs:GetLogDelivery logs:UpdateLogDelivery logs:DeleteLogDelivery logs:ListLogDeliveries |
| CloudWatchLogs | logs:PutResourcePolicy logs:DescribeResourcePolicies logs:DescribeLogGroups |
| Firehose | iam:CreateServiceLinkedRole firehose:TagDeliveryStream |
| S3 | s3:PutBucketPolicy s3:GetBucketPolicy [Extra actions are required for using Amazon S3 bucket with SSE-KMS encryption enabled](#flow-logs-s3-cmk-policy). |
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:us-west-1:123456789012:SampleLogGroupName:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"firehose:TagDeliveryStream"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::bucket-name"
]
}
]
}
```
------
#### Required key policy for use with SSE-KMS
If you use an Amazon S3 bucket as a log destination, you can protect the data in your bucket by enabling either Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), or Server-Side Encryption with AWS KMS keys (SSE-KMS). For more information, see [Protecting data using server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html) in the *Amazon S3 User Guide*.
If you choose SSE-S3, no additional configuration is required. Amazon S3 handles the encryption key.
If you choose SSE-KMS, you must use a customer managed key. You must update the key policy for your customer managed key so that the log delivery account can write to your S3 bucket. For more information about the required key policy for use with SSE-KMS, see [Amazon S3 bucket server-side encryption](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-SSE-KMS-S3) in the *Amazon CloudWatch Logs User Guide*.
### Audit destination log example
In the following example, `callerPrincipal` is used to identify the source of the sensitive content, and `messageID` is used as a reference to check against the `Publish` API response.
```
{
"messageId": "34d9b400-c6dd-5444-820d-fbeb0f1f54cf",
"auditTimestamp": "2022-05-12T2:10:44Z",
"callerPrincipal": "arn:aws:iam::123412341234:role/Publisher",
"resourceArn": "arn:aws:sns:us-east-1:123412341234:PII-data-topic",
"dataIdentifiers": [
{
"name": "Name",
"count": 1,
"detections": [
{
"start": 1,
"end": 2
}
]
},
{
"name": "PhoneNumber",
"count": 2,
"detections": [
{
"start": 3,
"end": 4
},
{
"start": 5,
"end": 6
}
]
}
]
}
```
### Audit operation metrics
When an audit operation has specified the `FindingsDestination` or the `NoFindingsDestination` property, the topic owners also receive CloudWatch `MessagesWithFindings` and `MessagesWithNoFindings` metrics.
![\[Example of an audit displaying data over a specified period of time.\]](http://docs.aws.amazon.com/sns/latest/dg/images/audit-operations-metrics.png)
## De-identify operation
The **De-identify** operation masks or redacts sensitive data from published or delivered messages. This operation is available for both inbound and outbound messages, and requires one of the following types of configurations:
+ **MaskConfig** – Mask using a supported character from the following table. For example, ssn: `123-45-6789` becomes ssn: `###########`.
```
{
"Operation": {
"Deidentify": {
"MaskConfig": {
"MaskWithCharacter": "#"
}
}
}
```
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-operations.html)
+ **RedactConfig** – Redact by removing the data entirely. For example, ssn: `123-45-6789` becomes ssn:` `.
```
{
"Operation": {
"Deidentify": {
"RedactConfig": {}
}
}
```
On an inbound message, the sensitive data is de-identified after the audit operation, and the `SNS:Publish` API caller receives the following invalid parameter error when the entire message is sensitive.
`Error code: AuthorizationError ...`
## Deny operation
The **Deny** operation interrupts either the `Publish` API request or the delivery of the message if the message contains sensitive data. The Deny operation object is empty, as it doesn't require additional configuration.
```
"Operation": {
"Deny": {}
}
```
On an inbound message, the `SNS:Publish` API caller receives an authorization error.
`Error code: AuthorizationError ...`
On an outbound message, the Amazon SNS topic does not deliver the message to the subscription. To track unauthorized deliveries, enable the topic’s [delivery status logging](sns-topic-attributes.md). The following is an example of a delivery status log:
```
{
"notification": {
"messageMD5Sum": "29638742ffb68b32cf56f42a79bcf16b",
"messageId": "34d9b400-c6dd-5444-820d-fbeb0f1f54cf",
"topicArn": "arn:aws:sns:us-east-1:123412341234:PII-data-topic",
"timestamp": "2022-05-12T2:12:44Z"
},
"delivery": {
"deliveryId": "98236591c-56aa-51ee-a5ed-0c7d43493170",
"destination": "arn:aws:sqs:us-east-1:123456789012:NoNameAccess",
"providerResponse": "The topic's data protection policy prohibits this message from being delivered to ",
"dwellTimeMs":20,
"attempts":1,
"statusCode": 403
},
"status": "FAILURE"
}
```
# Amazon SNS data protection policy examples
**Important**
Amazon SNS message data protection will no longer be available to new customers starting April 30, 2026. For more information and guidance on alternatives, see [Amazon SNS message data protection availability change](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html).
The following examples are data protection policies that you can use to audit and deny sensitive data. For a complete tutorial that includes an example application, see the [Introducing message data protection for Amazon SNS](https://aws.amazon.com/blogs/compute/introducing-message-data-protection-for-amazon-sns/) blog post.
## Example policy for auditing
Audit policies allow you to audit up to 99% of inbound messages and send findings to [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html), [https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html](https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html), and [Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html).
For example, you can create an audit policy to evaluate whether any of your systems are inadvertently sending or receiving sensitive data. If your audit results show that systems are sending credit card information to systems that don’t require it, you can implement a data protection policy to block the delivery of the data.
The following example audits 99% of the messages that flow through the topic by looking for credit card numbers and sending the findings to CloudWatch Logs, Firehose, and Amazon S3.
**Data protection policy**:
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": ["*"],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Audit": {
"SampleRate": "99",
"FindingsDestination": {
"CloudWatchLogs": {
"LogGroup": ""
},
"Firehose": {
"DeliveryStream": ""
},
"S3": {
"Bucket": ""
}
}
}
}
}
]
}
```
**Audit results format example**:
```
{
"messageId": "...",
"callerPrincipal": "arn:aws:sts::123456789012:assumed-role/ExampleRole",
"resourceArn": "arn:aws:sns:us-east-1:123456789012:ExampleArn",
"dataIdentifiers": [
{
"name": "CreditCardNumber",
"count": 1,
"detections": [
{ "start": 1, "end": 2 }
]
}
],
"timestamp": "2021-04-20T00:33:40.241Z"
}
```
## Example policy with inbound de-identify mask statement
The following example prevents a user from publishing a message to a topic with `CreditCardNumber` by masking the sensitive data from the message content.
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"MaskConfig": {
"MaskWithCharacter": "#"
}
}
}
}
]
}
```
**Inbound de-identify mask results example:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is ################
```
## Example policy with inbound de-identify redact statement
The following example prevents a user from publishing a message to a topic with `CreditCardNumber` by redacting the sensitive data from the message content.
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"RedactConfig": {}
}
}
}
]
}
```
**Inbound de-identify redact results example:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is
```
## Example policy with outbound de-identify mask statement
The following example prevents a user from receiving a message with `CreditCardNumber` by masking the sensitive data from the message content.
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"MaskConfig": {
"MaskWithCharacter": "-"
}
}
}
}
]
}
```
**Outbound de-identify mask results example:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is ----------------
```
## Example policy with outbound de-identify redact statement
The following example prevents a user from receiving a message with `CreditCardNumber` by redacting the sensitive data from the message content.
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"RedactConfig": {}
}
}
}
]
}
```
**Outbound de-identify redact results example:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is
```
## Example policy with inbound deny statement
The following example blocks a user from publishing a message to a topic with `CreditCardNumber` in the message content. Denied payloads in the API response have a status code of "403 AuthorizationError".
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deny": {}
}
}
]
}
```
## Example policy with outbound deny statement
The following example blocks an AWS account from receiving messages that contain `CreditCardNumber`.
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deny": {}
}
}
]
}
```
**Outbound deny results example, logged in Amazon CloudWatch:**
```
{
"notification": {
"messageMD5Sum": "2e8f58ff2eeed723b56b15493fbfb5a5",
"messageId": "8747a956-ebf1-59da-b291-f2c2e4b87c9c",
"topicArn": "arn:aws:sns:us-east-2:664555388960:test1",
"timestamp": "2022-09-08 15:40:57.144"
},
"delivery": {
"deliveryId": "6a422437-78cc-5171-ad64-7fa3778507aa",
"destination": "arn:aws:sqs:us-east-2:664555388960:test",
"providerResponse": "The topic's data protection policy prohibits this message from being delivered to ",
"dwellTimeMs": 22,
"attempts": 1,
"statusCode": 403
},
"status": "FAILURE"
}
```
# Creating data protection policies in Amazon SNS
**Important**
Amazon SNS message data protection will no longer be available to new customers starting April 30, 2026. For more information and guidance on alternatives, see [Amazon SNS message data protection availability change](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html).
[Data protection policies](sns-message-data-protection-policies.md) help you safeguard the data that's published to your Amazon SNS topics by auditing, de-identifying (masking or redacting), and denying (blocking) sensitive information that moves between applications or AWS services. You can use AWS API, AWS CLI, CloudFormation, or AWS Management Console to create data protection policies in Amazon SNS. Only one policy can be defined per Amazon SNS topic. Each data protection policy can have one or more de-identify and deny statements, but only one audit statement.
**Topics**
+ [Using API](sns-message-data-protection-configure-api.md)
+ [Using AWS CLI](sns-message-data-protection-configure-cli.md)
+ [Using CloudFormation](sns-message-data-protection-configure-cfn.md)
+ [Using the AWS Management Console](sns-message-data-protection-configure-console.md)
+ [Using AWS SDK](sns-message-data-protection-configure-sdk.md)
# Creating data protection policies in Amazon SNS using the API
**Important**
Amazon SNS message data protection will no longer be available to new customers starting April 30, 2026. For more information and guidance on alternatives, see [Amazon SNS message data protection availability change](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html).
The number and size of Amazon SNS resources in an AWS account are limited. For more information, see [Amazon Simple Notification Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sns.html).
## Creating a data protection policy using API
Create an Amazon SNS data protection policy using the AWS API.
**To create a data protection policy together with an Amazon SNS topic (AWS API)**
Use the `DataProtectionPolicy` property of a standard Amazon SNS topic:
+ [https://docs.aws.amazon.com/sns/latest/api/API_CreateTopic.html](https://docs.aws.amazon.com/sns/latest/api/API_CreateTopic.html)
**To retrieve or create a data protection policy for an existing Amazon SNS topic (AWS API)**
Call one of the following operations:
+ [GetDataProtectionPolicy](https://docs.aws.amazon.com/sns/latest/api/API_GetDataProtectionPolicy.html)
+ [PutDataProtectionPolicy](https://docs.aws.amazon.com/sns/latest/api/API_PutDataProtectionPolicy.html)
# Creating data protection policies in Amazon SNS using the CLI
**Important**
Amazon SNS message data protection will no longer be available to new customers starting April 30, 2026. For more information and guidance on alternatives, see [Amazon SNS message data protection availability change](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html).
The number and size of Amazon SNS resources in an AWS account are limited. For more information, see [Amazon Simple Notification Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sns.html).
## Creating data protection policies using the AWS CLI
Create an Amazon SNS data protection policy using the AWS Command Line Interface.
**To create a data protection policy together with an Amazon SNS topic (AWS CLI)**
Use this option to create a new data protection policy together with a standard Amazon SNS topic:
+ [create-topic](https://docs.aws.amazon.com/cli/latest/reference/sns/create-topic.html)
**To create or retrieve a data protection policy for an existing Amazon SNS topic (AWS CLI)**
Call one of the following operations:
+ [get-data-protection-policy](https://docs.aws.amazon.com/cli/latest/reference/sns/get-data-protection-policy.html)
+ [put-data-protection-policy](https://docs.aws.amazon.com/cli/latest/reference/sns/put-data-protection-policy.html)
# Creating data protection policies in Amazon SNS using CloudFormation
**Important**
Amazon SNS message data protection will no longer be available to new customers starting April 30, 2026. For more information and guidance on alternatives, see [Amazon SNS message data protection availability change](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html).
The number and size of Amazon SNS resources in an AWS account are limited. For more information, see [Amazon Simple Notification Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sns.html).
## Creating data protection policies (CloudFormation)
Create an Amazon SNS data protection policy using CloudFormation.
**To create a data protection policy together with an Amazon SNS topic (CloudFormation)**
Use this option to create a new data protection policy together with a standard Amazon SNS topic:
+ [AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html)
# Creating data protection policies in Amazon SNS using the console
**Important**
Amazon SNS message data protection will no longer be available to new customers starting April 30, 2026. For more information and guidance on alternatives, see [Amazon SNS message data protection availability change](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html).
The number and size of Amazon SNS resources in an AWS account are limited. For more information, see [Amazon Simple Notification Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sns.html).
**To create a data protection policy together with an Amazon SNS topic (Console)**
Use this option to create a new data protection policy together with a standard Amazon SNS topic.
1. Sign in to the [Amazon SNS console](https://console.aws.amazon.com/sns/home).
1. Choose a topic or create a new one. For more details on creating topics, see [Creating an Amazon SNS topic](sns-create-topic.md).
1. On the **Create topic** page, in the **Details** section, choose **Standard**.
1. Enter a **Name** for the topic.
1. (Optional) Enter a **Display name** for the topic.
1. Expand **Data protection policy**.
1. Choose a **Configuration mode**:
+ **Basic** – Define a data protection policy using a simple menu.
+ **Advanced** – Define a custom data protection policy using JSON.
1. (Optional) To create your own **custom data identifier**, expand the **Custom data identifier configuration section** do the following:
1. Enter a unique **name** for the custom data identifier. Custom data identifier names support alphanumeric, underscore (\$1), and hyphen (-) characters. Up to 128 character are supported. This name cannot share the same name as a [managed data identifier](sns-message-data-protection-managed-data-identifiers.md). For a full list of custom data identifier limitations, see [Custom data identifier constraints](sns-message-data-protection-custom-data-identifiers.md#custom-data-identifiers-limitations).
1. Enter a regular expression (RegEx) for the custom data identifier. RegEx supports alphanumeric characters, RegEx reserved characters, and symbols. RegEx has a maximum length of 200 characters. If the RegEx is too complicated, Amazon SNS will fail the API call. For a full list of RegEx limitations, see [Custom data identifier constraints](sns-message-data-protection-custom-data-identifiers.md#custom-data-identifiers-limitations).
1. (Optional) Choose **Add custom data identifier** to add additional data identifiers as needed. A maximum of 10 custom data identifiers are supported for each data protection policy.
1. Choose the statement(s) that you'd like to add to your data protection policy. You can add **audit**, **de-identify** (mask or redact), and **deny** (block) statement types to the same data protection policy.
1. **Add audit statement** – Configure which sensitive data to audit, what percentage of messages you want to audit for that data, and where to send audit logs.
**Note**
Only one audit statement is allowed per data protection policy or topic.
1. Select **data identifiers ** to define the sensitive data that you want to audit.
1. For **Audit sample rate**, enter the percentage of messages to audit for sensitive information, up to a maximum of 99%.
1. For **Audit destination**, select which AWS services to send the audit finding results, and enter a destination name for each AWS service that you use. You can select from the following Amazon Web Services:
+ **Amazon CloudWatch** – CloudWatch Logs is the AWS standard logging solution. Using CloudWatch Logs, you can perform log analytics using Logs Insights ([see samples here](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax-examples.html)) and create metrics and alarms. CloudWatch Logs is where many services publish logs, which makes it easier to aggregate all logs using one solution. For information about Amazon CloudWatch, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html).
+ **** – Firehose satisfies the demands for real-time streaming to Splunk, OpenSearch, and Amazon Redshift for further log analytics. For information about , see the [ User Guide](https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html).
+ **Amazon Simple Storage Service** – Amazon S3 is an economical log destination for archival purposes. You may be required to retain logs for a period of years. In this case, you can put logs into Amazon S3 to save costs. For information about Amazon Simple Storage Service, see the [Amazon Simple Storage Service User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html).
1. **Add a de-identify statement** – Configure the sensitive data you want to de-identify in the message, whether you want to mask or redact that data, and the accounts to stop delivery of that data.
1. For **Data identifiers**, select the sensitive data that you want to de-identify.
1. For **Define this de-identify statement for**, select the AWS accounts or IAM principals to which this de-identify statement applies. You can apply it to **all AWS accounts**, or to **specific AWS accounts** or **IAM entities** (account roots, roles, or users) that use account IDs or IAM entity ARNs. Separate multiple IDs or ARNs using a comma ( , ).
The following [IAM principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) are supported:
+ **IAM account principals** – For example,`arn:aws:iam::AWS-account-ID:root`.
+ **IAM role principals** – For example, `arn:aws:iam::AWS-account-ID:role/role-name`.
+ **IAM user principals** – For example, `arn:aws:iam::AWS-account-ID:user/user-name`.
1. For **De-identify Option**, select how you want to de-identify the sensitive data. The following options are supported:
+ **Redact** – Completely removes data. For example, email: `classified@amazon.com` becomes email: ` `.
+ **Mask** – Replaces the data with single characters. For example, email: `classified@amazon.com` becomes email: `*********************`.
1. (Optional) Continue to add de-identify statements as needed.
1. **Add deny statement** – Configure which sensitive data to prevent from moving through your topic, and which principals to prevent from delivering that data.
1. For **data direction **, choose the direction of the messages for the deny statement:
+ **Inbound messages** – Apply this deny statement to messages that are sent to the topic.
+ **Outbound messages** – Apply this deny statement to messages that the topic delivers to subscription endpoints.
1. Choose the **data identifiers** to define the sensitive data that you want to deny.
1. Choose the **IAM principals** that apply to this deny statement. You can apply it to **all AWS accounts**, to **specific AWS accounts**, or **IAM entities** (for example, account roots, roles, or users) that use account IDs or IAM entity ARNs. Separate multiple IDs or ARNs using a comma ( , ). The following [IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) principals are supported:
+ **IAM account principals** – For example, `arn:aws:iam::AWS-account-ID:root`.
+ **IAM role principals** – For example, `arn:aws:iam::AWS-account-ID:role/role-name`.
+ **IAM user principals** – For example, `arn:aws:iam::AWS-account-ID:user/user-name`.
1. (Optional) Continue to add deny statements as needed.
# Creating Amazon SNS data protection policies to secure message data using the SDK
**Important**
Amazon SNS message data protection will no longer be available to new customers starting April 30, 2026. For more information and guidance on alternatives, see [Amazon SNS message data protection availability change](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html).
The number and size of Amazon SNS resources in an AWS account are limited. For more information, see [Amazon Simple Notification Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sns.html).
## Creating data protection policies using the AWS SDK
Create an Amazon SNS data protection policy using the AWS SDK.
**To create a data protection policy together with an Amazon SNS topic (AWS SDK)**
Use the following options to create a new data protection policy together with a standard Amazon SNS topic:
------
#### [ Java ]
```
/**
* For information regarding CreateTopic see this documentation topic:
*
* https://docs.aws.amazon.com/code-samples/latest/catalog/javav2-sns-src-main-java-com-example-sns-CreateTopic.java.html
*/
public static String createSNSTopicWithDataProtectionPolicy(SnsClient snsClient, String topicName, String dataProtectionPolicy) {
try {
CreateTopicRequest request = CreateTopicRequest.builder()
.name(topicName)
.dataProtectionPolicy(dataProtectionPolicy)
.build();
CreateTopicResponse result = snsClient.createTopic(request);
return result.topicArn();
} catch (SnsException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
```
------
#### [ JavaScript ]
```
// Import required AWS SDK clients and commands for Node.js
import {CreateTopicCommand } from "@aws-sdk/client-sns";
import {snsClient } from "./libs/snsClient.js";
// Set the parameters
const params = { Name: "TOPIC_NAME", DataProtectionPolicy: "DATA_PROTECTION_POLICY" };
const run = async () => {
try {
const data = await snsClient.send(new CreateTopicCommand(params));
console.log("Success.", data);
return data; // For unit tests.
} catch (err) {
console.log("Error", err.stack);
}
};
run();
```
------
**To create or retrieve a data protection policy for an existing Amazon SNS topic (AWS SDK)**
Use the following options to create or retrieve a new data protection policy together with a standard Amazon SNS topic:
------
#### [ Java ]
```
public static void putDataProtectionPolicy(SnsClient snsClient, String topicName, String dataProtectionPolicy) {
try {
PutDataProtectionPolicyRequest request = PutDataProtectionPolicyRequest.builder()
.resourceArn(topicName)
.dataProtectionPolicy(dataProtectionPolicy)
.build();
PutDataProtectionPolicyResponse result = snsClient.putDataProtectionPolicy(request);
System.out.println("\n\nStatus was " + result.sdkHttpResponse().statusCode()
+ "\n\nTopic " + request.resourceArn()
+ " DataProtectionPolicy " + request.dataProtectionPolicy());
} catch (SnsException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
public static void getDataProtectionPolicy(SnsClient snsClient, String topicName) {
try {
GetDataProtectionPolicyRequest request = GetDataProtectionPolicyRequest.builder()
.resourceArn(topicName)
.build();
GetDataProtectionPolicyResponse result = snsClient.getDataProtectionPolicy(request);
System.out.println("\n\nStatus is " + result.sdkHttpResponse().statusCode()
+ "\n\nDataProtectionPolicy: \n\n" + result.dataProtectionPolicy());
} catch (SnsException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
------
#### [ JavaScript ]
```
// Import required AWS SDK clients and commands for Node.js
import {PutDataProtectionPolicyCommand, GetDataProtectionPolicyCommand } from "@aws-sdk/client-sns";
import {snsClient } from "./libs/snsClient.js";
// Set the parameters
const putParams = { ResourceArn: "TOPIC_ARN", DataProtectionPolicy: "DATA_PROTECTION_POLICY" };
const runPut = async () => {
try {
const data = await snsClient.send(new PutDataProtectionPolicyCommand(putParams));
console.log("Success.", data);
return data; // For unit tests.
} catch (err) {
console.log("Error", err.stack);
}
};
runPut();
// Set the parameters
const getParams = { ResourceArn: "TOPIC_ARN" };
const runGet = async () => {
try {
const data = await snsClient.send(new GetDataProtectionPolicyCommand(getParams));
console.log("Success.", data);
return data; // For unit tests.
} catch (err) {
console.log("Error", err.stack);
}
};
runGet();
```
------
# Deleting data protection policies in Amazon SNS
**Important**
Amazon SNS message data protection will no longer be available to new customers starting April 30, 2026. For more information and guidance on alternatives, see [Amazon SNS message data protection availability change](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html).
You can **delete** Amazon SNS data protection policies using the AWS API, AWS CLI, CloudFormation, or AWS Management Console.
For general information about Amazon SNS data protection policies, see [Understanding Amazon SNS data protection policies](sns-message-data-protection-policies.md).
The number and size of Amazon SNS data protection policy resources in an AWS account are limited. For more information, see [ Amazon SNS API throttling](https://docs.aws.amazon.com/general/latest/gr/sns.html) in AWS General Reference.
## Deleting data protection policies using the console
**To delete a managed data protection policy using the console**
1. Sign in to the [Amazon SNS console](https://console.aws.amazon.com/sns/home).
1. Choose the topic that contains the data protection policy that you want to delete.
1. Choose **Edit**.
1. Expand the **Data protection policy** section.
1. Choose **Remove** next to the data protection policy statement that you want to remove.
1. Choose **Save changes**.
## Deleting a data protection policy using an empty JSON string
You can delete a data protection policy by updating it to an empty JSON string.
## Deleting a data protection policy using the AWS CLI
You can delete a data protection policy using the AWS CLI.
`//aws sns put-data-protection-policy --resource-arn topic-arn --data-protection-policy ""`