Ensure that your Amazon Simple Notification Service (SNS) topics don't allow "Everyone" to publish messages. The identities that can publish messages to your SNS topics can be: "Everyone" (unrestricted access), specific AWS users or AWS services, and the topic owner. From this list of publishers, you need to make sure that "Everyone" is not used with any SNS topics provisioned in your AWS cloud account in order to protect against attackers or unauthorized users.
This rule can help you with the following compliance standards:
- PCI
- GDPR
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When the access policy associated with an SNS topic grants permission to "Everyone", using a wildcard (i.e. "*") as the "Principal" value, the topic security can be at risk because any unauthenticated entity can produce and publish malicious messages to that topic, messages that normally should be published only by trusted publishers.
Audit
To determine if there are any Amazon SNS topics accessible to anonymous publishing available within your AWS account, perform the following actions:
Remediation / Resolution
To update the access policy associated with your Amazon SNS topic and set the appropriate permissions in order to restrict anonymous publishing, perform the following actions:
References
- AWS Documentation
- Amazon SNS FAQs
- Identity and access management in Amazon SNS
- IAM JSON policy elements reference
- Using identity-based policies with Amazon SNS
- Amazon SNS API permissions: Actions and resources reference
- AWS Command Line Interface (CLI) Documentation
- sns
- list-topics
- get-topic-attributes
- set-topic-attributes
- CloudFormation Documentation
- Amazon Simple Notification Service resource type reference
- Terraform Documentation
- AWS Provider