Open menu
-->

AWS SNS exposed topics

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 10 November 2017
Security

Risk level: High (act today)

Identify any publicly accessible SNS topics and implement the necessary permissions in order to protect them against attackers or unauthorized personnel.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Setting accidentally (or intentionally) overly permissive policies for your SNS topics can allow unauthorized users to receive/publish messages and subscribe to the exposed topics. One common scenario is when a root user grants permissions for an SNS topic to the "Everyone" grantee while testing the notification system and forgets about the insecure set of permissions applied during the testing stage.

Audit

To determine if there are any exposed SNS topics within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, select Topics.

04 Select the SNS topic that you want to examine.

05 Click the Actions button from the dashboard top menu and select Edit topic policy:

Click to Edit Topic Policy

06 In the Edit topic policy dialog box, perform the following:

  1. Select the Basic View tab to examine the topic policy implemented with the basic editor. If the user (grantee) allowed to publish messages to the topic and/or the user allowed to subscribe to the topic is set to “Everyone”: the user allowed to subscribe to the topic is set to “Everyone”, the selected topic is exposed to unauthorized access.
  2. Select the Advanced View tab to examine the topic policy document implemented with the advanced editor. If the custom policy document contains Principal elements that do not promote any specific users: e.g. “Principal”: {“AWS”: “*”} and these elements are not using Condition clauses to filter the user access: e.g. elements are not using Condition clauses to filter the user access, the selected topic is exposed to unauthorized access.

07 Repeat step no. 4 – 6 for each SNS topic available in the current AWS region. Change the AWS region from the navigation bar to repeat the process for the other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to retrieve the list with all the SNS topics available in the selected region and their ARNs (Amazon Resource Name):

aws sns list-topics
	--region us-east-1

02 The command output should return each SNS topic ARN:

{
    "Topics": [
        {
            "TopicArn": "arn:aws:sns:us-east-1:123456789012:MobileSNSTopic"
        },
        {
            "TopicArn": "arn:aws:sns:us-east-1:123456789012:MySNSTopic"
        }
    ]
}

03 Run get-topic-attributes command (OSX/Linux/UNIX) to return the selected SNS topic policy using its ARN for identification:

aws sns get-topic-attributes
	--topic-arn "arn:aws:sns:us-east-1:123456789012:MobileSNSTopic"
	--region us-east-1
	--query 'Attributes.Policy'

04 The command output should return the topic policy document:

{
  "Version": "2008-10-17",
  "Id": "mobile_custom_policy_ID",
  "Statement": [
    {
      "Sid": "mobile_custom_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:ListSubscriptionsByTopic",
        "SNS:Subscribe",
        "SNS:DeleteTopic",
        "SNS:GetTopicAttributes",
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:AddPermission",
        "SNS:Receive",
        "SNS:SetTopicAttributes"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:MobileSNSTopic",
    },
    {
      "Sid": "__console_pub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:123456789012:MobileSNSTopic"
    },
    {
      "Sid": "__console_sub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:MobileSNSTopic"
    }
  ]
}

If the policy document returned contains Principal elements that grant permissions to everyone: e.g. “Principal”: {“AWS”: “*”} without using Condition clauses to restrict the user access, the SNS topic is exposed to unauthorized access.

Remediation / Resolution

To update the policies and implement the required permissions to secure any exposed SNS topics, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tab from the S3 dashboard

04 In the left navigation panel, select Topics.

05 Select the SNS topic that you want to update.

06 In the Edit topic policy dialog box, perform the following:

  1. Select the Basic View tab to update the topic policy with the basic editor:
    • Select Only me (topic owner) to limit publishing messages or subscribing requests to the topic owner only.
    • Select Only these AWS users and enter valid AWS account IDs to limit publishing messages or subscribing requests to those specified AWS accounts only.
    • Select Only users with endpoints that match and enter valid endpoints (email address, application URL, etc) to limit subscribing only to the specified endpoints.
    • Under Using these delivery protocols section select any protocols required for subscription requests or notifications.
  2. Select the Advanced View tab and paste your custom policy document to update the topic permissions based on your requirements. Make sure you use Principal elements together with Condition clauses: Make sure you use Principal elements together with Condition clauses to filter user access based on your needs. You can also create custom SNS policies with the AWS Policy Generator: https://awspolicygen.s3.amazonaws.com/policygen.html

07 Click Update policy to apply the new permissions.

08 Repeat step no. 4 – 7 for each SNS topic available in the current AWS region. Change the AWS region from the navigation bar to repeat the process for the other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to retrieve the list with all the SNS topics available in the selected region and their ARNs:

aws sns list-topics
	--region us-east-1

02 The command output should return each SNS topic ARN:

{
    "Topics": [
        {
            "TopicArn": "arn:aws:sns:us-east-1:123456789012:MobileSNSTopic"
        },
        {
            "TopicArn": "arn:aws:sns:us-east-1:123456789012:MySNSTopic"
        }
    ]
}

03 Run get-topic-attributes command (OSX/Linux/UNIX) to return the selected SNS topic policy for examining it, in order to implement any updates:

aws sns set-topic-attributes
	--topic-arn "arn:aws:sns:us-east-1:123456789012:MobileSNSTopic"
	--region us-east-1
	--attribute-name Policy

04 The command output should return the topic policy document:

{
  "Version": "2008-10-17",
  "Id": "mobile_custom_policy_ID",
  "Statement": [
    {
      "Sid": "mobile_statement_01",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:ListSubscriptionsByTopic",
        "SNS:Subscribe",
        "SNS:DeleteTopic",
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:AddPermission",
        "SNS:Receive",
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:MobileSNSTopic",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "123456789012"
        }
      }
    },
    {
      "Sid": "mobile_statement_02",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:123456789012:MobileSNSTopic"
    },
    {
      "Sid": "mobile_statement_03",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:MobileSNSTopic"
    }
  ]
}

05 Run remove-permission command (OSX/Linux/UNIX) to remove a certain statement from the selected SNS topic policy. The following example removes the policy statement labeled mobile_statement_02 from the SNS topic with the ARN arn:aws:sns:us-east-1:123456789012:MobileSNSTopic (the command does not return any output):

aws sns remove-permission
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:MobileSNSTopic
	--label mobile_statement_02

06 add-permission command (OSX/Linux/UNIX) to add a new valid statement to the selected topic policy. The following example add a policy statement labeled mobile_statement_02-1 that grants permission to the user with the ID 123456789012 to publish messages to the SNS topic with the ARN arn:aws:sns:us-east-1:123456789012:MobileSNSTopic (the command does not return any output):

aws sns add-permission
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:MobileSNSTopic
	--label mobile_statement_02-1
	--action-name publish
	--aws-account-id 123456789012

References

Publication date Apr 23, 2016