Ensure that all your Amazon SNS topics are configured to allow access only to trusted AWS accounts and users in order to protect against unauthorized cross-account access. Before running this rule by the Trend Cloud One™ – Conformity engine, the list with the trusted AWS identities must be configured in the rule settings, on your Conformity account console.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing unknown (unauthorized) AWS accounts and users to access your Amazon SNS topics can lead to unauthorized actions such as intercepting and publishing messages without permission. To prevent data leaks, data loss, and avoid unexpected costs on your AWS bill, limit queue access to trusted entities only by implementing the right permissions.
Audit
To determine if there are any Amazon SNS topics that allow unknown cross-account access in your AWS account, perform the following actions:
Remediation / Resolution
To update your Amazon SNS topic permissions in order to allow cross-account access from trusted entities only, perform the following actions:
References
- AWS Documentation
- Amazon SNS FAQs
- Identity and access management in Amazon SNS
- Amazon SNS API permissions: Actions and resources reference
- IAM JSON policy elements reference
- AWS Command Line Interface (CLI) Documentation
- sns
- list-topics
- get-topic-attributes
- set-topic-attributes
- CloudFormation Documentation
- Amazon Simple Notification Service resource type reference
- Terraform Documentation
- AWS Provider