Ensure SNS Topics aren't publicly accessible

SNS Topics might contain sensitive information. Determine the specific principals with their required actions, and then craft IAM policy with the required permissions.

Suggest Edits

Risk Level: Critical
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.AWS.IAM.57
Covered by Spectral: Yes
Category: Application Integration

GSL LOGIC

SnsTopic where policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*')] should have policy.Statement contain [Condition]

REMEDIATION

From Portal
Perform the following in order to set a new SNS Topic policy:

  1. Login to AWS Console
  2. Navigate to SNS Service, click on topics
  3. Select the relevant topic and click Edit
  4. Look for "Access policy", and edit the policy.
    You can use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html

From TF

resource "aws_sns_topic" "test" {
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
		{
			"Action": "*",
			"Principal": {
				-   "AWS": "*"
				+   "AWS": "arn:aws:iam::<account_number>:root"
			},
			"Effect": "Allow",
			"Sid": ""
		}]
	}
	EOF
}

From Command Line

aws sns set-topic-attributes --topic-arn Topic_ARN --attribute-name policy --attribute-value File:update_attributes.json

Note: Where the file should contain the new policy for the topic.

References

  1. https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html

SNS Topic

An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset

Updated 7 months ago