Ensure that your Amazon Simple Notification Service (SNS) topics don't allow "Everyone" to subscribe. The identities that can subscribe to your SNS topics can be: "Everyone" (unrestricted access), users whose endpoint URL, protocol, email address, or ARN from a "Subscribe" request match a certain value, specific AWS users, and the topic owner. From this list of topic subscribers, you need to make sure that "Everyone" is not used with any SNS topics created within your AWS cloud account in order to protect against attackers or unauthorized personnel.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When the access policy associated with an SNS topic grants permission to "Everyone", using a wildcard (i.e. "*") as the "Principal" value, the topic security can be at risk because any unauthenticated entity can subscribe and receive messages from the topic publishers, messages that normally should be destined only to known and trusted subscribers.
Audit
To determine if there are any Amazon SNS topics publicly accessible for subscription available in your AWS account, perform the following operations:
Remediation / Resolution
To update the access policy associated with the Amazon SNS topics that are publicly accessible for subscription and set the appropriate permissions, perform the following operations:
References
- AWS Documentation
- Amazon SNS FAQs
- Identity and access management in Amazon SNS
- IAM JSON policy elements reference
- Using identity-based policies with Amazon SNS
- Amazon SNS API permissions: Actions and resources reference
- AWS Command Line Interface (CLI) Documentation
- sns
- list-topics
- get-topic-attributes
- set-topic-attributes
- CloudFormation Documentation
- Amazon Simple Notification Service resource type reference
- Terraform Documentation
- AWS Provider