Risk Level: Critical

Cloud Entity: SNS Topic

CloudGuard Rule ID: D9.AWS.IAM.58

Covered by Spectral: Yes

Category: Application Integration

GSL LOGIC

SnsTopic should not have policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*') and (Action contain-any ['SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes'  or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic']) and Condition isEmpty()]

REMEDIATION

From Console

Open the Amazon SNS console https://console.aws.amazon.com/sns/
In the left navigation pane, choose Topics.
Choose your Amazon SNS topic's name.
Choose the Edit button.
Expand the Access policy - optional section.
Edit the access policy to grant the required permissions for your use case. (You can also use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html)
In the policy When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic', Make sure you DO NOT mention Principal='' or Principal.AWS='', and add make sure you add a condition in the policy statement.
Choose Save Changes.

From CLI

Create a json file with policy statement where, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic', Make sure you DO NOT mention Principal='' or Principal.AWS='', and add make sure you add a condition in the policy statement.
Use below CLI Command to update the policy.

aws sns set-topic-attributes --topic-arn TOPIC_ARN --attribute-name policy --attribute-value FILE://UPDATE_ATTRIBUTES.json

From CFT

See below example, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic', Make sure you DO NOT mention Principal='' or Principal.AWS='', and add make sure you add a condition in the policy statement.

Resources:
  SampleSNSPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Id: __default_policy_ID
        Statement:
          - Sid: __default_statement_ID
            Effect: Allow
            Principal:
              AWS: "111122223333"
            Action:
              - SNS:GetTopicAttributes
            Resource: arn:aws:sns:us-east-2:444455556666:MyTopic
            Condition:
              StringEquals:
                AWS:SourceOwner: '444455556666'
      Topics:
        - "arn:aws:sns:us-east-2:444455556666:MyTopic"

From TF

See below example, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic', Make sure you DO NOT mention Principal='' or Principal.AWS='', and add make sure you add a condition in the policy statement.

resource "aws_sns_topic_policy" "default" {
	arn = "arn:aws:sns:us-east-2:444455556666:MyTopic"
	policy = data.aws_iam_policy_document.sns_topic_policy.json
}

data "aws_iam_policy_document" "sns_topic_policy" {
	policy_id = "__default_policy_ID"
	statement {
		actions = [
		"SNS:DeleteTopic"
		]
		condition {
			test     = "StringEquals"
			variable = "AWS:SourceOwner"
			values = [
			444455556666,
			]
		}
		effect = "Allow"
		principals {
			type        = "AWS"
			identifiers = ["111122223333"]
		}
		resources = [
		"arn:aws:sns:us-east-2:444455556666:MyTopic",
		]
		sid = "__default_statement_ID"
	}
}

References

SNS Topic

An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.

Compliance Frameworks

AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS Security Risk Management
CloudGuard AWS All Rules Ruleset
CloudGuard AWS Default Ruleset