Ensure appropriate subscribers to each SNS topic

AWS Simple Notification Service (SNS) is a web service that can publish messages from an application and immediately deliver them to subscribers or other applications. Subscribers are clients interested in receiving notifications from topics of interest; they can subscribe to a topic or be subscribed by the topic owner. When publishers have information or updates to notify their subscribers about, they can publish a message to the topic which immediately triggers Amazon SNS to deliver the message to all applicable subscribers. It is recommended that the list of subscribers to given topics be periodically reviewed for appropriateness

Risk Level: Low
Cloud Entity: CloudTrail
CloudGuard Rule ID: D9.AWS.MON.15
Covered by Spectral: Yes
Category: Management Tools


CloudTrail where name regexMatch /(.*)/ should have hasSNSSubscriber=true


From Portal
Perform the following steps to verify if there is any inappropriate SNS subscribers available within your AWS account:

  1. Sign in to the AWS Management Console.
  2. Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.
  3. In the left navigation panel, under SNS Dashboard, select Subscriptions.
  4. Choose the SNS subscription that you want to examine.
  5. Evaluate the topic Amazon Resource Name (ARN), available in the Topic ARN column and the endpoint assigned to the subscription, available within Endpoint column, to determine if the subscriber is appropriate and can access/receive the data published to the assigned topic.
  6. If the subscriber is evaluated as unwanted, the selected AWS SNS subscription is not appropriate and can be safely removed from your account.

Perform the following steps to remove any inappropriate SNS subscribers:

  1. Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.
  2. In the navigation panel, under SNS Dashboard, click Subscriptions.
  3. Select the SNS topic subscription that you want to remove.
  4. Click the Delete button to remove the selected SNS subscription.

From Command Line
Run following command to remove the inappropriate AWS SNS subscription from your account.

aws sns unsubscribe --region AWS_REGION --subscription-arn SUBSCRIPTION_ARN

Note: use the ARN of the inappropriate subscription that you want to delete.


  1. https://docs.aws.amazon.com/sns/latest/dg/sns-delete-subscription-topic.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/unsubscribe.html


AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CIS Foundations v. 1.1.0
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • CloudGuard AWS All Rules Ruleset