Guides

Ensure SNS Topics administrative actions aren't publicly executable without a condition

SNS Topics might contain sensitive information or initiate critical tasks. Determine the specific principals the their required actions, and then craft IAM policy with the required permissions.

Suggest Edits

Risk Level: Critical
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.AWS.IAM.58
Covered by Spectral: Yes
Category: Application Integration

GSL LOGIC

SnsTopic should not have policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*') and (Action contain-any ['SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes'  or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic']) and Condition isEmpty()]

REMEDIATION

From Console

  1. Open the Amazon SNS console https://console.aws.amazon.com/sns/
  2. In the left navigation pane, choose Topics.
  3. Choose your Amazon SNS topic's name.
  4. Choose the Edit button.
  5. Expand the Access policy - optional section.
  6. Edit the access policy to grant the required permissions for your use case.(You can also use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html)
  7. In the policy When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
  8. Choose Save Changes.

From CLI

  1. Create a json file with policy statement where, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
  2. Use below CLI Command to update the policy.
aws sns set-topic-attributes --topic-arn TOPIC_ARN --attribute-name policy --attribute-value FILE://UPDATE_ATTRIBUTES.json

From CFT

  1. See below example, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
Resources:
SampleSNSPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Id: __default_policy_ID
Statement:
- Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: "111122223333"
Action:
- SNS:GetTopicAttributes
Resource: arn:aws:sns:us-east-2:444455556666:MyTopic
Condition:
StringEquals:
AWS:SourceOwner: '444455556666'
Topics:
- "arn:aws:sns:us-east-2:444455556666:MyTopic"

From TF

  1. See below example, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
resource "aws_sns_topic_policy" "default" {
	arn = "arn:aws:sns:us-east-2:444455556666:MyTopic"
	policy = data.aws_iam_policy_document.sns_topic_policy.json
}

data "aws_iam_policy_document" "sns_topic_policy" {
	policy_id = "__default_policy_ID"
	statement {
		actions = [
		"SNS:DeleteTopic"
		]
		condition {
			test     = "StringEquals"
			variable = "AWS:SourceOwner"
			values = [
			444455556666,
			]
		}
		effect = "Allow"
		principals {
			type        = "AWS"
			identifiers = ["111122223333"]
		}
		resources = [
		arn:aws:sns:us-east-2:444455556666:MyTopic,
		]
		sid = "__default_statement_ID"
	}
}

References

  1. https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy
  4. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html

SNS Topic

An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset

Updated about 1 year ago