diff --git a/aws/resource_aws_sns_platform_application.go b/aws/resource_aws_sns_platform_application.go
index e8b394b17597..217b32f221b4 100644
--- a/aws/resource_aws_sns_platform_application.go
+++ b/aws/resource_aws_sns_platform_application.go
@@ -1,7 +1,6 @@
 package aws
 
 import (
-	"crypto/sha256"
 	"fmt"
 	"log"
 	"strings"
@@ -60,7 +59,7 @@ func resourceAwsSnsPlatformApplication() *schema.Resource {
 			"platform_credential": {
 				Type:      schema.TypeString,
 				Required:  true,
-				StateFunc: hashSum,
+				Sensitive: true,
 			},
 			"arn": {
 				Type:     schema.TypeString,
@@ -89,7 +88,7 @@ func resourceAwsSnsPlatformApplication() *schema.Resource {
 			"platform_principal": {
 				Type:      schema.TypeString,
 				Optional:  true,
-				StateFunc: hashSum,
+				Sensitive: true,
 			},
 			"success_feedback_role_arn": {
 				Type:     schema.TypeString,
@@ -158,6 +157,12 @@ func resourceAwsSnsPlatformApplicationUpdate(d *schema.ResourceData, meta interf
 		}
 	}
 
+	if d.HasChange("platform_principal") {
+		// If the principal has changed we must also send the credential, even if it didn't change,
+		// as they must be specified together in the request.
+		attributes["PlatformCredential"] = aws.String(d.Get("platform_credential").(string))
+	}
+
 	// Make API call to update attributes
 	req := &sns.SetPlatformApplicationAttributesInput{
 		PlatformApplicationArn: aws.String(d.Id()),
@@ -271,10 +276,6 @@ func decodeResourceAwsSnsPlatformApplicationID(input string) (arnS, name, platfo
 	return
 }
 
-func hashSum(contents interface{}) string {
-	return fmt.Sprintf("%x", sha256.Sum256([]byte(contents.(string))))
-}
-
 func validateAwsSnsPlatformApplication(d *schema.ResourceDiff) error {
 	platform := d.Get("platform").(string)
 	if snsPlatformRequiresPlatformPrincipal[platform] {