Open menu
-->

AWS SNS Unknown Cross Account Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that all your Simple Notification Service (SNS) topics are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).

This rule resolution is part of the Cloud Conformity Security Package

Using overly permissive policies that allow unknown cross account access to your SNS topics can lead to unauthorized actions such as intercepting and publishing messages or subscribing to the exposed topics. To prevent data leaks and avoid unexpected costs on your AWS bill, grant access only to the trusted accounts by implementing the right SNS policies.

Audit

To determine if there are any Amazon Simple Notification Service topics that allow unknown cross account access, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, under SNS Dashboard, select Topics.

04 Select the SNS topic that you want to examine.

05 Click the Actions dropdown button from the dashboard top menu and select Edit topic policy to access the SNS topic policy.

06 Inside the Edit topic policy dialog box, select Advanced view tab and identify the AWS account ID e.g.

identify the AWS account ID

or the AWS account ARN e.g.

identify the AWS account ID

defined as value(s) for the access policy Principal element.

07 Sign in to your Cloud Conformity console, access the SNS Cross Account Access conformity rule settings and compare the identifier(s) found at the previous step (ID(s)/ARN(s)) against each identifier listed in the rule configuration section. If the identifier found within the access policy does not match any of the trusted account entities listed on your Cloud Conformity console, the cross account access to the selected SNS topic is not secured.

08 Repeat steps no. 4 - 7 to verify the access policy of the other SNS topics available in the current region for unknown cross account access entities (AWS account IDs/ARNs).

09 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to retrieve the list with all the SNS topics available in the selected region and their ARNs (Amazon Resource Name):

aws sns list-topics
    --region us-east-1

02 The command output should return the requested SNS topic ARNs:

{
   "Topics": [
     {
        "TopicArn": "arn:aws:sns:us-east-1:
                     123456789012:cloudconformity-sns-topic"
     },
     {
        "TopicArn": "arn:aws:sns:us-east-1:
                     123456789012:cloudconformity-cloudtrail-sns-topic"
     }
   ]
}

03 Run get-topic-attributes command (OSX/Linux/UNIX) to list the selected SNS topic policy using its ARN as identifier:

aws sns get-topic-attributes
    --region us-east-1
    --topic-arn arn:aws:sns:us-east-1:123456789012:cloudconformity-sns-topic
    --query 'Attributes.Policy'

04 The command output should return the SNS topic policy document in JSON format:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__console_pub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "123456789012"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:
                   553456789011:cloudconformity-sns-topic"
    },
    {
      "Sid": "__console_sub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:
                   553456789011:cloudconformity-sns-topic"
    }
  ]
}

05 Identify the AWS account ID or ARN defined as value(s) for the Principal element (highlighted) listed in the access policy returned at the previous step.

06 Log in to your Cloud Conformity console, access the xSNS Cross Account Access conformity rule settings and compare the identifier(s) found at the previous step (ID(s)/ARN(s)) against each identifier listed in the rule configuration section. If the identifier found within the access policy does not match any of the trusted entities listed on your Cloud Conformity console, the cross account access to the selected SNS topic is not secured.

07 Repeat steps no. 3 - 6 to verify the access policy of the other SNS topics available in the current region for unknown cross account access entities.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

To update your Amazon SNS topics policy in order to allow cross account access only from trusted entities, perform the following:

Using AWS Console

01 k the topic policy.

02 Inside the Edit topic policy dialog box, select Advanced view tab and replace the existing (untrusted) AWS identifier(s) defined as the Principal element value(s) with the trusted one(s), defined on your Cloud Conformity console.

03 Click Update policy to apply the new permissions. The AWS SNS dashboard should display now the "Successfully edited topic policy." confirmation message.

04 Repeat steps no. 4 - 7 to update the access policy for other SNS topics available in the current region in order to block requests from any unauthorized AWS accounts.

05 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Edit your Amazon SNS topic access policy and replace the untrusted AWS identifier(s) with the trusted one(s) then save the policy in a JSON document (e.g. sns-cross-account-access-policy.json). You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your custom access policies. The following example contains an SNS policy document that allows another (friendly) AWS account identified by the ARN arn:aws:iam::601639253144:root to receive and publish messages from/to an SNS topic identified by the ARN arn:aws:sns:us-east-1:123456789012:cloudconformity-sns-topic:

{
  "Version": "2008-10-17",
  "Id": "SNSAccessPolicy1482254699102",
  "Statement": [
    {
      "Sid": "Stmt1482254697321",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::601639253144:root"
      },
      "Action": [
        "SNS:Receive",
        "SNS:Publish"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:
                   cloudconformity-sns-topic"
    }
  ]
}

02 Run set-topic-attributes command (OSX/Linux/UNIX) using the ARN of the SNS topic that you want to reconfigure (see Audit section part II to identify the right SNS resource) to replace the existing access policy with the one defined at the previous step, i.e. sns-cross-account-access-policy.json, (the command does not produce an output):

aws sns set-topic-attributes
    --region us-east-1
    --topic-arn arn:aws:sns:us-east-1:123456789012:cloudconformity-sns-topic
    --attribute-name Policy
    --attribute-value file://sns-cross-account-access-policy.json

03 Repeat step no. 1 and 2 to update the access policy for other SNS topics available in the current region in order to block requests from unauthorized cross account entities.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.

References

Publication date Dec 23, 2016