Ensure SNS topic have active subscriptions

All SNS topics should have active subscriptions. You should delete unused SNS topics.

Risk Level: Low
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.AWS.MON.19
Covered by Spectral: Yes
Category: Application Integration


SnsTopic should not have subscriptions isEmpty()


From Portal
Perform the following to verify and create a new subscription:

  1. Login to AWS Console
  2. Navigate to SNS Service.
  3. Select the desired topic you want to examine.
  4. Go to Subscription section and ensure subscription is added to this topic.
  5. If there is no active subscription created, Create a new one.
  6. Choose create subscription tab to create a new subscription.
  7. If you want to delete the topic, select the relevant topic and click delete.

From TF
Use below Terraform code to create a subscription.

resource "aws_sns_topic_subscription" "user_updates_sqs_target" {
	topic_arn = "sns_topic_arn"
	protocol  = "protocol_type"
	endpoint  = "Endpoint_to_send_data"

From Command Line
Use following command to create a new subscription:

aws sns subscribe --topic-arn Topic_ARN --protocol PROTOCOL_NAME --notification-endpoint [email protected]

Note: You can follow reference section to see a full list of protocol.

Use following command to delete a topic:

aws sns delete-topic --topic-arn Topic_ARN


  1. https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/subscribe.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/delete-topic.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription

SNS Topic

An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset