Ensure SNS topic have active subscriptions
All SNS topics should have active subscriptions. You should delete unused SNS topics.
Risk Level: Low
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.AWS.MON.19
Covered by Spectral: Yes
Category: Application Integration
GSL LOGIC
SnsTopic should not have subscriptions isEmpty()
REMEDIATION
From Portal
Perform the following to verify and create a new subscription:
- Login to AWS Console
- Navigate to SNS Service.
- Select the desired topic you want to examine.
- Go to Subscription section and ensure subscription is added to this topic.
- If there is no active subscription created, Create a new one.
- Choose create subscription tab to create a new subscription.
- If you want to delete the topic, select the relevant topic and click delete.
From TF
Use below Terraform code to create a subscription.
resource "aws_sns_topic_subscription" "user_updates_sqs_target" {
topic_arn = "sns_topic_arn"
protocol = "protocol_type"
endpoint = "Endpoint_to_send_data"
}
From Command Line
Use following command to create a new subscription:
aws sns subscribe --topic-arn Topic_ARN --protocol PROTOCOL_NAME --notification-endpoint [email protected]
Note: You can follow reference section to see a full list of protocol.
Use following command to delete a topic:
aws sns delete-topic --topic-arn Topic_ARN
References
- https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/subscribe.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/delete-topic.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription
SNS Topic
An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago