Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

SNS Topic Exposed

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (act today)
Rule ID: SNS-001

Identify any publicly accessible Amazon SNS topics and update their permissions in order to protect against attackers and unauthorized personnel.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Allowing anonymous users to have access to your Amazon SNS topics can lead to unauthorized actions such as intercepting and receiving/publishing messages without permission. One common scenario is when the topic owner grants permissions to everyone by setting the Principal to "Everyone" (i.e. "*") while testing the SNS messaging system configuration and the insecure set of permissions reach into production. To avoid data leakage and unexpected costs on your AWS bill, limit access to your SNS topics by implementing the right permissions.

Audit

To determine if your Amazon SNS topics are publicly accessible, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/v3.

03 In the main navigation panel, under Amazon SNS, choose Topics.

04 Click on the name (link) of the SNS topic that you want to examine.

05 Select the Access policy tab from the console bottom panel to access the permissions defined for the selected topic.

06 Within the Access policy box, identify the "Principal" element defined for each policy statement and check the element value (i.e. ARN).

07 Check the policy document listed in the Access policy section. If the "Effect" element value is set to "Allow", the "Principal" element value is set to "*" or {"AWS": "*"}, and the policy is not using "Condition" clauses to filter the access, as shown in the policy example listed below, the selected Amazon Simple Notification Service (SNS) topic is exposed to unauthorized access: 

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic"
    }
  ]
}

08 Repeat steps no. 4 – 6 for each Amazon SNS topic available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to list the Amazon Resource Name (ARN) of each Amazon SNS topic available in the selected AWS cloud region: 

aws sns list-topics
  --region us-east-1
  --output table
  --query 'Topics[]'

02 The command output should return a table with the requested SNS topic ARNs: 

-----------------------------------------------------------
|                       ListTopics                        |
+---------------------------------------------------------+
|                        TopicArn                         |
+---------------------------------------------------------+
|  arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic   |
|  arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic  |
+---------------------------------------------------------+

03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon SNS topic that you want to examine as the identifier parameter to describe the access policy defined for the selected SNS topic: 

aws sns get-topic-attributes
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic
  --query 'Attributes.Policy'

04 The command output should return the topic policy document in JSON format: 

"{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic"
    }
  ]
}"

Check the policy document returned by the get-topic-attributes command output. If the "Effect" element value is set to "Allow", the "Principal" element value is set to "*" or {"AWS": "*"}, and the policy is not using "Condition" clauses to filter the access, as shown in the policy example listed above, Amazon SNS topic is exposed to unauthorized access.

05 Repeat steps no. 3 and 4 for each Amazon SNS topic available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To update the associated access policy and set the appropriate permissions in order to secure the access to your exposed Amazon SNS topic, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Restrict Access via SNS Topic Policy (Allow Access from Trusted IAM Users Only)",
    "Parameters": {
        "SNSTopicName": {
            "Type": "String",
            "Description": "Topic Name",
            "Default": "cc-sns-topic"
        }
    },
    "Resources": {
        "AWSSNSTopic": {
            "Type": "AWS::SNS::Topic",
            "Properties": {
                "TopicName": {
                    "Ref": "SNSTopicName"
                },
                "Subscription": [
                    {
                        "Endpoint": "user@domain.com",
                        "Protocol": "email"
                    }
                ]
            }
        },
        "AWSSNSTopicPolicy": {
            "Type": "AWS::SNS::TopicPolicy",
            "Properties": {
                "PolicyDocument": {
                    "Id": "SecureAccessPolicy",
                    "Version": "2008-10-17",
                    "Statement": [
                        {
                          "Effect": "Allow",
                          "Principal": {
                            "AWS": "arn:aws:iam::123456789012:user/aws_sns_manager"
                          },
                          "Action": [
                            "SNS:GetTopicAttributes",
                            "SNS:SetTopicAttributes",
                            "SNS:AddPermission",
                            "SNS:RemovePermission",
                            "SNS:DeleteTopic",
                            "SNS:Subscribe",
                            "SNS:ListSubscriptionsByTopic",
                            "SNS:Publish"
                          ],
                          "Resource": "arn:aws:sns:us-east-1:123456789012:cc-sns-topic"
                        }
                    ]
                },
                "Topics": [
                    {
                        "Ref": "AWSSNSTopic"
                    }
                ]
            }
        }
    }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Restrict Access via SNS Topic Policy (Allow Access from Trusted IAM Users
  Only)
Parameters:
  SNSTopicName:
    Type: String
    Description: Topic Name
    Default: cc-sns-topic
Resources:
  AWSSNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: !Ref 'SNSTopicName'
      Subscription:
        - Endpoint: user@domain.com
          Protocol: email
  AWSSNSTopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: SecureAccessPolicy
        Version: '2008-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: arn:aws:iam::123456789012:user/aws_sns_manager
            Action:
              - SNS:GetTopicAttributes
              - SNS:SetTopicAttributes
              - SNS:AddPermission
              - SNS:RemovePermission
              - SNS:DeleteTopic
              - SNS:Subscribe
              - SNS:ListSubscriptionsByTopic
              - SNS:Publish
            Resource: arn:aws:sns:us-east-1:123456789012:cc-sns-topic
      Topics:
        - !Ref 'AWSSNSTopic'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

# Restrict Access via SNS Topic Policy (Allow Access from Trusted IAM Users Only)
resource "aws_sns_topic_policy" "cc-sns-topic-policy" {
  arn = aws_sns_topic.cc-sns-topic.arn
  policy = data.aws_iam_policy_document.sns-topic-policy-document.json
}

data "aws_iam_policy_document" "sns-topic-policy-document" {
  statement {
    actions = [
      "SNS:GetTopicAttributes",
      "SNS:SetTopicAttributes",
      "SNS:AddPermission",
      "SNS:RemovePermission",
      "SNS:DeleteTopic",
      "SNS:Subscribe",
      "SNS:ListSubscriptionsByTopic",
      "SNS:Publish"
    ]

    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = [
        "arn:aws:iam::123456789012:user/aws_sns_manager"
      ]
    }

    resources = [
      aws_sns_topic.cc-sns-topic.arn
    ]
  }
}

resource "aws_sns_topic" "cc-sns-topic" {
  name = "cc-trail-sns-topic"
}

resource "aws_sns_topic_subscription" "cc-sns-topic-target" {
  topic_arn = aws_sns_topic.cc-sns-topic.arn
  protocol  = "email"
  endpoint  = "user@domain.com"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/v3.

03 In the main navigation panel, under Amazon SNS, choose Topics.

04 Click on the name (link) of the SNS topic that you want to reconfigure.

05 Choose Edit from the console top menu to access the topic configuration settings.

06 Select the Access policy – optional tab and within the JSON editor section perform one of the following actions based on your requirements:

  1. To limit the topic access to a specific AWS account or IAM user, replace the "Principal" element value with the Amazon Resource Name (ARN) of the trusted AWS account, i.e. { "AWS": "arn:aws:iam::<aws-account-id>:root" } or the IAM user, i.e. { "AWS": "arn:aws:iam::<aws-account-id>:user/<user-name>" } that should have access to the selected Amazon SNS topic. Choose Save changes to apply the permission changes
  2. To limit the access to a specific (trusted) IP address/IP range, add a "Condition" clause to the policy statement, i.e. "Condition": { "IpAddress": { "aws:SourceIp": "<ipv4-address>" } }, where <ipv4-address> is the trusted IPv4 address that can access the selected SNS topic. Choose Save changes to apply the policy changes.
  3. To limit the access to the topic owner only, add a "Condition" clause to the policy statement, i.e. "Condition": {"StringEquals": {"AWS:SourceOwner": "<aws-account-id>"} }, where <aws-account-id> is the AWS account ID of the SNS topic owner. Choose Save changes to apply the permission changes.

07 Repeat steps no. 4 – 6 for each Amazon SNS topic that you want to reconfigure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Modify the access policy associated with your Amazon SNS topic and replace the "Principal" element value (i.e. "*") with the ARN of the trusted AWS account, i.e. { "AWS": "arn:aws:iam::<aws-account-id>:root" } or the IAM user, i.e. { "AWS": "arn:aws:iam::<aws-account-id>:user/<user-name>" } that should have access to the selected SNS topic. Save the policy document to a JSON file named sns-trusted-access-policy.json. You can also add a "Condition" clause to the policy statement to limit the topic access to a specific (trusted) IP address/IP range or to the topic owner only. As an example, the following access policy allows access to an IAM user identified by the ARN "arn:aws:iam::123456789012:user/aws_sns_manager" (highlighted): 

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/aws_sns_manager"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic"
    }
  ]
}

02 Run set-topic-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon SNS topic that you want to reconfigure as the identifier parameter to replace the existing access policy with the one modified at the previous step (i.e. sns-trusted-access-policy.json) in order to secure the access to the selected topic (the command does not produce an output): 

aws sns set-topic-attributes
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic
  --attribute-name Policy
  --attribute-value file://sns-trusted-access-policy.json

03 Repeat steps no. 1 and 2 for each Amazon SNS topic that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Apr 23, 2016

Related SNS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

SNS Topic Exposed

Risk Level: High