Ensure that your AWS Simple Notification Service (SNS) topics do not allow "Everyone" to subscribe. The entities that can subscribe to your SNS topics can be: "Everyone" (anonymous access), users whose endpoint URL, protocol, email address or ARN from a "Subscribe" request match a certain value, specific AWS users or resources and the topic owner. From this list of topic subscribers, you should make sure that the "Everyone" entity is not used with any SNS topics created within your AWS account in order to protect the messages published to your topics against attackers or unauthorized personnel.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When an SNS topic policy grants permission to "Everyone" by using a wildcard, i.e. "*", as the Principal value, the topic security can be at risk as any unauthenticated entity can subscribe and receive messages from the topic publishers, messages that usually should be destined only to known subscribers.
To determine if there are any SNS topics publicly accessible for subscription within your AWS account, perform the following:
Remediation / Resolution
To update the access control policies attached to the SNS topics that are publicly accessible for subscription and implement the required permissions to secure the exposed topics, perform the following actions:
- AWS Documentation
- Amazon SNS FAQs
- Managing Access to Your Amazon SNS Topics
- IAM JSON Policy Elements Reference
- Controlling User Access to Your AWS Account
- Special Information for Amazon SNS Policies
- AWS Policy Generator
- CIS Amazon Web Services Foundations
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
SNS Topic Accessible For Subscription
Risk level: Medium