Use the Conformity Knowledge Base AI to help improve your Cloud Posture

SNS Topic Accessible For Subscription

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SNS-005

Ensure that your Amazon Simple Notification Service (SNS) topics don't allow "Everyone" to subscribe. The identities that can subscribe to your SNS topics can be: "Everyone" (unrestricted access), users whose endpoint URL, protocol, email address, or ARN from a "Subscribe" request match a certain value, specific AWS users, and the topic owner. From this list of topic subscribers, you need to make sure that "Everyone" is not used with any SNS topics created within your AWS cloud account in order to protect against attackers or unauthorized personnel.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When the access policy associated with an SNS topic grants permission to "Everyone", using a wildcard (i.e. "*") as the "Principal" value, the topic security can be at risk because any unauthenticated entity can subscribe and receive messages from the topic publishers, messages that normally should be destined only to known and trusted subscribers.


Audit

To determine if there are any Amazon SNS topics publicly accessible for subscription available in your AWS account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/v3

03 In the main navigation panel, under Amazon SNS, choose Topics.

04 Click on the name (link) of the SNS topic that you want to examine.

05 Select the Access policy tab from the console bottom panel to access the permissions configured for the selected topic.

06 Check the policy document listed in the Access policy section for statements with the following combination of elements: "Effect" set to "Allow", "Principal" set to "*" or {"AWS": "*"}, and "Action" set to "SNS:Subscribe" and "SNS:Receive". If one or more policy statements contain the specified combination of elements, and the policy is not using "Condition" clauses to filter the access, as shown in the policy example listed below, the selected Amazon Simple Notification Service (SNS) topic is publicly accessible for subscription:

{
	"Version": "2008-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "*"
			},
			"Action": [
				"SNS:ListSubscriptionsByTopic",
				"SNS:Subscribe",
				"SNS:Receive"
			],
			"Resource": "arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic"
		}
	]
}

07 Repeat steps no. 4 – 6 for each Amazon SNS topic available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to list the Amazon Resource Name (ARN) of each Amazon SNS topic available in the selected AWS cloud region:

aws sns list-topics
  --region us-east-1
  --output table
  --query 'Topics[]'

02 The command output should return a table with the requested SNS topic ARNs:

-----------------------------------------------------------
|                       ListTopics                        |
+---------------------------------------------------------+
|                        TopicArn                         |
+---------------------------------------------------------+
|  arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic  |
|  arn:aws:sns:us-east-1:123456789012:cc-prod-sns-topic   |
+---------------------------------------------------------+

03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon SNS topic that you want to examine as the identifier parameter to describe the access policy configured for the selected SNS topic:

aws sns get-topic-attributes
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic
  --query 'Attributes.Policy'

04 The command output should return the topic policy document in JSON format:

"{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:ListSubscriptionsByTopic",
        "SNS:Subscribe",
        "SNS:Receive"
        ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic"
    }
  ]
}"

Check the policy document returned by the get-topic-attributes command output for statements with the following combination of elements: "Effect" set to "Allow", "Principal" set to "*" or {"AWS": "*"}, and "Action" set to "SNS:Subscribe" and "SNS:Receive". If one or more policy statements contain the specified combination, and the policy is not using "Condition" clauses to filter the access, as shown in the policy example listed above, the selected Amazon Simple Notification Service (SNS) topic is publicly accessible for subscription.

05 Repeat steps no. 3 and 4 for each Amazon SNS topic available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To update the access policy associated with the Amazon SNS topics that are publicly accessible for subscription and set the appropriate permissions, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Restrict Anonymous Subscriptions for SNS Topics (Allow Access from Trusted IAM Users Only)",
	"Parameters": {
		"SNSTopicName": {
			"Type": "String",
			"Description": "Topic Name",
			"Default": "cc-sns-topic"
		}
	},
	"Resources": {
		"AWSSNSTopic": {
			"Type": "AWS::SNS::Topic",
			"Properties": {
				"TopicName": {
					"Ref": "SNSTopicName"
				},
				"Subscription": [
					{
						"Endpoint": "user@domain.com",
						"Protocol": "email"
					}
				]
			}
		},
		"AWSSNSTopicPolicy": {
			"Type": "AWS::SNS::TopicPolicy",
			"Properties": {
				"PolicyDocument": {
					"Id": "SecureAccessPolicy",
					"Version": "2008-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
							"AWS": "arn:aws:iam::123456789012:user/sns_subscriber"
							},
							"Action": [
							"SNS:ListSubscriptionsByTopic",
							"SNS:Subscribe",
							"SNS:Receive"
							],
							"Resource": "arn:aws:sns:us-east-1:123456789012:cc-sns-topic"
						}
					]
				},
				"Topics": [
					{
						"Ref": "AWSSNSTopic"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Restrict Anonymous Subscriptions for SNS Topics (Allow Access from Trusted
		IAM Users Only)
	Parameters:
		SNSTopicName:
		Type: String
		Description: Topic Name
		Default: cc-sns-topic
	Resources:
		AWSSNSTopic:
		Type: AWS::SNS::Topic
		Properties:
			TopicName: !Ref 'SNSTopicName'
			Subscription:
			- Endpoint: user@domain.com
				Protocol: email
		AWSSNSTopicPolicy:
		Type: AWS::SNS::TopicPolicy
		Properties:
			PolicyDocument:
			Id: SecureAccessPolicy
			Version: '2008-10-17'
			Statement:
				- Effect: Allow
				Principal:
					AWS: arn:aws:iam::123456789012:user/sns_subscriber
				Action:
					- SNS:ListSubscriptionsByTopic
					- SNS:Subscribe
					- SNS:Receive
				Resource: arn:aws:sns:us-east-1:123456789012:cc-sns-topic
			Topics:
			- !Ref 'AWSSNSTopic'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

# Restrict Anonymous Subscriptions for SNS Topics (Allow Access from Trusted IAM Users Only)
resource "aws_sns_topic_policy" "cc-sns-topic-policy" {
	arn = aws_sns_topic.cc-sns-topic.arn
	policy = data.aws_iam_policy_document.sns-topic-policy-document.json
}

data "aws_iam_policy_document" "sns-topic-policy-document" {
	statement {
		actions = [
			"SNS:ListSubscriptionsByTopic",
			"SNS:Subscribe",
			"SNS:Receive"
		]

		effect = "Allow"

		principals {
			type        = "AWS"
			identifiers = [
				"arn:aws:iam::123456789012:user/sns_subscriber"
			]
		}

		resources = [
			aws_sns_topic.cc-sns-topic.arn
		]
	}
}

resource "aws_sns_topic" "cc-sns-topic" {
	name = "cc-trail-sns-topic"
}

resource "aws_sns_topic_subscription" "cc-sns-topic-target" {
	topic_arn = aws_sns_topic.cc-sns-topic.arn
	protocol  = "email"
	endpoint  = "user@domain.com"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/v3.

03 In the main navigation panel, under Amazon SNS, choose Topics.

04 Click on the name (link) of the SNS topic that you want to reconfigure.

05 Choose Edit from the console top menu to access the topic configuration settings.

06 Select the Access policy – optional tab and within the JSON editor section perform one of the following actions based on your requirements:

  1. To allow a specific AWS account or IAM user to subscribe, replace the "Principal" element value with the Amazon Resource Name (ARN) of the trusted AWS account, i.e. { "AWS": "arn:aws:iam::<aws-account-id>:root" } or the IAM user, i.e. { "AWS": "arn:aws:iam::<aws-account-id>:user/<user-name>" } that should have access to the selected Amazon SNS topic. Choose Save changes to apply the permission changes.
  2. To grant subscription access to users with endpoints that match specific endpoints and/or delivery protocols, add a "Condition" clause that defines the allowed endpoints and/or protocols, e.g. "Condition": { "StringLike": { "SNS:Endpoint": "user@domain.com" }, "StringEquals": { "sns:Protocol": "email" } }. Choose Save changes to apply the permission changes.
  3. To grant the topic owner the permission to subscribe, add a "Condition" clause to the policy statement, i.e. "Condition": { "StringEquals": { "AWS:SourceOwner": "<aws-account-id>"} }, where <aws-account-id> is the AWS account ID of the SNS topic owner. Choose Save changes to apply the permission changes.

07 Repeat steps no. 4 – 6 for each Amazon SNS topic that you want to reconfigure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Modify the access policy associated with your Amazon SNS topic and replace the "Principal" element value (i.e. "*") with the ARN of the trusted AWS account, i.e. { "AWS": "arn:aws:iam::<aws-account-id>:root" } or the trusted IAM user, i.e. { "AWS": "arn:aws:iam::<aws-account-id>:user/<user-name>" }, that should have permission to subscribe to the selected SNS topic. Save the policy document to a JSON file named sns-subscription-access-policy.json. You can also add a "Condition" clause to the policy statement in order to limit the subscription access to users with endpoints that match specific endpoints and/or delivery protocols or to limit the access to the topic owner only. As an example, the following policy allows a trusted IAM user, identified by the ARN "arn:aws:iam::123456789012:user/sns_subscriber", to subscribe to the selected SNS topic:

{
	"Version": "2008-10-17",
	"Statement": [
	{
		"Effect": "Allow",
		"Principal": {
			"AWS": "arn:aws:iam::123456789012:user/sns_subscriber"
		},
		"Action": [
			"SNS:ListSubscriptionsByTopic",
			"SNS:Subscribe",
			"SNS:Receive"
		],
		"Resource": "arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic"
	}
	]
}

02 Run set-topic-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon SNS topic that you want to reconfigure as the identifier parameter to replace the existing access policy with the one modified at the previous step (i.e. sns-subscription-access-policy.json) in order to secure the subscription access to the selected topic (the command does not produce an output):

aws sns set-topic-attributes
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-trail-sns-topic
  --attribute-name Policy
  --attribute-value file://sns-subscription-access-policy.json

03 Repeat steps no. 1 and 2 for each Amazon SNS topic that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date Mar 16, 2018