Amazon SNS introduces message data protection to discover sensitive data in motion

Amazon SNS recently announced the public message data protection overview. Identifying PII data and other sensitive information in-flight, new SNS functionality leverages pattern matching, machine learning models and data protection policies to simplify data protection and compliance in applications that exchange large volumes of data.

One of the first managed services on AWSSNS uses the publish/subscribe model for message delivery, supporting standard and FIFO topics. For standard topics only, owners can now enable message data protection to scan messages in real time for sensitive data and provide detailed audit reports or block message delivery. Otavio Ferreirasenior software development manager at AWS, and his team Explain:

With Message Data Protection for SNS, you can scan messages in real time for PII/PHI data and receive audit reports containing the scan results. You can also prevent applications from receiving sensitive data by blocking incoming messages to an SNS topic or outgoing messages to an SNS subscription. Message data protection for SNS supports a repository of more than 25 unique PII/PHI data identifiers. These include people’s names, addresses, social security numbers, credit card numbers, and prescription drug codes. These features can help you meet various compliance regulations, including HIPAA, FedRAMP, GDPR, and PCI.


Customers can set an audit policy to determine if any of the systems inadvertently send or receive sensitive data or use a blocking policy to prevent delivery. Other supported data identifiers include credentials, such as AWS secret access keys, and device identifiers, such as IP address and MAC address. David BoyneSenior Developer Advocate at AWS, tweet:

It’s pretty cool. Using policies to detect PII information and audit or block messages in progress is great. Great for EDA applications when you’re scaling them across organizations, it’s so easy to add PII information into messages/events, it’s interesting to see this being used

Discussing possible use cases, Ferreira and his team write:

Consider an application that processes a variety of transactions for a set of healthcare clinics, an organization that operates in a regulated environment. Compliance frameworks require the organization to take steps to protect both sensitive health records and financial information.

The new CloudWatch metrics MessageWithResults and MessageWithNoFinds Track how often PII/PHI data is posted on an SNS topic and the amount of sensitive data posted on a topic.


Amazon SNS message data protection is currently available in a subset of AWS Regions. The pricing of new functionality is based on the amount of payload analyzed, with a minimum of 1 KB of message analysis, and the amount of audit report data generated: with region-dependent pricing, analysis of Messages starts at $0.08 per GB and Audit Reports starts at $0.19 per GB.

During preview, message data protection does not support PublishBatch API for incoming messages.

Margie D. Carlisle