Ensure SNS Topics administrative actions aren’t publicly executable

SNS Topics might contain sensitive information or initiate critical tasks. Determine the specific principals the their required actions, and then craft IAM policy with the required permissions.

Risk Level: Critical
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.TF.AWS.IAM.58
Covered by Spectral: No
Category: Application Integration

GSL LOGIC

aws_sns_topic should not have (policy regexMatch /"Effect":\s*"Allow"/i) and (policy regexMatch /Principal\":{\"AWS\":\"*\"}/i or policy regexMatch /"Principal":\s*"*"/i)  and (policy regexMatch /SNS:GetTopicAttributes/i or policy regexMatch /SNS:SetTopicAttributes/i or policy regexMatch /SNS:AddPermission/i or policy regexMatch /SNS:RemovePermission/i or policy regexMatch /SNS:DeleteTopic/i or policy regexMatch /SNS:ListSubscriptionsByTopic/i) and not policy regexMatch /Condition/i

REMEDIATION

Perform the following in order to set a new SNS Topic policy:

From Portal

  1. Login to AWS Console
  2. Navigate to SNS Service, click on topics
  3. Select the relevant topic and click Edit
  4. Look for "Access policy", and edit the policy.
    You can use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html

From CLI
aws sns set-topic-attributes --topic-arn <Topic ARN> --attribute-name policy --attribute-value <file:update_attributes.json>
Where the file should contain the new policy for the topic.

References
Use the following reference for additional information regarding access and SNS policies:
https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html

SNS Topic

An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.

Compliance Frameworks

  • Terraform AWS CIS Foundations