Ensure that your AWS Simple Notification Service (SNS) topics do not allow "Everyone" to publish. The AWS entities that can publish to your SNS topics can be: "Everyone" (unrestricted user access), specific AWS users or AWS resources and the topic owner. From this list of topic message publishers, you need to make sure that the "Everyone" entity is not used with any SNS topics provisioned in your AWS account in order to protect against attackers or unauthorized users that can publish messages to your topics.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When an SNS topic policy grants permission to "Everyone", using a wildcard, i.e. "*", as the Principal value, the topic security can be at risk as any unauthenticated entity can produce and publish malicious messages to the topic, messages that normally should be published only by trusted publishers.
To determine if there are any SNS topics accessible to anonymous publishing available in your AWS account, perform the following actions:
Remediation / Resolution
To update the access control policies attached to the AWS SNS topics that are publicly accessible for publishing and implement the required permissions to secure the exposed topics, perform the following actions:
- AWS Documentation
- Amazon SNS FAQs
- Managing Access to Your Amazon SNS Topics
- IAM JSON Policy Elements Reference
- Controlling User Access to Your AWS Account
- Special Information for Amazon SNS Policies
- AWS Policy Generator
- CIS Amazon Web Services Foundations
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
SNS Topic Accessible For Publishing
Risk level: Medium