Open menu
-->

SNS Topics Publicly Accessible For Publishing

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your AWS Simple Notification Service (SNS) topics do not allow "Everyone" to publish. The AWS entities that can publish to your SNS topics can be: "Everyone" (unrestricted user access), specific AWS users or AWS resources and the topic owner. From this list of topic message publishers, you need to make sure that the "Everyone" entity is not used with any SNS topics provisioned in your AWS account in order to protect against attackers or unauthorized users that can publish messages to your topics.

When an SNS topic policy grants permission to "Everyone", using a wildcard, i.e. "*", as the Principal value, the topic security can be at risk as any unauthenticated entity can produce and publish malicious messages to the topic, messages that normally should be published only by trusted publishers.

Audit

To determine if there are any SNS topics accessible to anonymous publishing available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, select Topics.

04 Select the Amazon SNS topic that you want to examine.

05 Click the Actions button from the dashboard top menu and select the Edit topic policy option.

06 Inside the Edit topic policy dialog box, perform one of the following:

  1. Select Basic view tab to examine the selected topic policy defined using the basic editor. Within Allow these users to publish messages to this topic section, check the entity allowed to publish to the topic. If the entity is "Everyone", the selected AWS SNS topic is exposed to anonymous access, therefore any unauthenticated user can publish messages to the selected topic.
  2. Select the Advanced ViewA tab to examine the topic policy document defined using the advanced editor. Inside the policy document box, search for statements with the following combination of elements: "Effect": "Allow", "Principal": { "AWS":"*" }, "Action": "SNS:Publish", "Resource":" <SNS_TOPIC_ARN>". If the policy statements contain the specified combination, without using Condition clauses to filter the access to the selected SNS resource, the selected AWS SNS topic is exposed to anonymous access.

07 Repeat steps no. 4 – 6 to verify the access control policy for other SNS topics, provisioned in the selected AWS region.

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to list the ARNs of all the SNS topics available in the selected AWS region:

aws sns list-topics
	--region us-east-1
	--output table
	--query 'Topics[]'

02 The command output should return a table with the requested topic ARNs:

----------------------------------------------------------
|                      ListTopics                        |
+--------------------------------------------------------+
|                       TopicArn                         |
+--------------------------------------------------------+
| arn:aws:sns:us-east-1:123456789012:cc-mobile-stack     |
| arn:aws:sns:us-east-1:123456789012:cc-web-stack-v1.4   |
+--------------------------------------------------------+

03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN of the SNS topic that you want to examine as identifier to return the access policy attached to the selected topic:

aws sns get-topic-attributes
	--region us-east-1
	--topic-arn "arn:aws:sns:us-east-1:123456789012:cc-mobile-stack"
	--query 'Attributes.Policy'

04 The command output should return the topic policy document:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [

    ...

    {
      "Sid": "__console_pub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:123456789012:cc-web-app-topic"
    },

    ...

  ]
}

Within the policy document returned by the get-topic-attributes command output, search for statements with the following combination of elements: "Effect": "Allow", "Principal": { "AWS":"*" }, "Action": "SNS:Publish", "Resource":" <SNS_TOPIC_ARN>". If the policy statements contain the specified combination, as shown in the example above, without using Condition clauses to filter the access to the resource such as "Condition": { "StringEquals": { "AWS:SourceOwner": "<AWS_ACCOUNT_ID>" }, the selected AWS SNS topic is publicly accessible for publishing.

05 Repeat step no. 3 and 4 to verify the access control policy for other SNS topics, available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To update the access control policies attached to the AWS SNS topics that are publicly accessible for publishing and implement the required permissions to secure the exposed topics, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, select Topics.

04 Select the AWS SNS topic that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click the Actions button from the dashboard top menu and select Edit topic policy.

06 Inside the Edit topic policy dialog box, perform one of the following actions:

  1. Select the Basic View tab to update the access policy with the basic editor and within Allow these users to publish messages to this topic section, set the following:
    • Select Only me (topic owner) to limit all the publish requests to the topic owner only.
    • Select Only these AWS users and provide valid AWS account IDs to limit message publishing to those specified AWS accounts only.
  2. Select the Advanced View tab and paste your own custom policy document to update the SNS topic permissions based on your requirements. Make sure that you replace the Principal element value (i.e "AWS": "*") with specific (trusted) AWS users, e.g. replace "Principal": { "AWS" : "*" } with "Principal": { "AWS" : "IAM_USER_ARN" }, or use the existing Principal elements together with Condition clauses to filter the user access for publishing. You can create custom SNS policies using the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html

07 Click Update policy to apply the new permissions.

08 Repeat step no. 4 – 7 for each SNS topic available in the current AWS region.

09 Change the AWS region from the navigation bar to repeat the process for the other regions.

Using AWS CLI

01 Update the required access control policy by replacing the Principal element current value (i.e "AWS": "*") with specific IAM user ARNs, e.g. replacing "Principal": { "AWS" : "*" } with "Principal": { "AWS" : "IAM_USER_ARN" }. Save the updated policy within a JSON document named "secure-publish-policy.json". For the following access control policy example, only the AWS IAM user identified by the ARN "arn:aws:iam::123456789012:root" can publish messages to the SNS topic:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:Receive",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "arn:aws:sns:us-east-1:343366855517:cc-mobile-stack",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "123456789012"
        }
      }
    },
    {
      "Sid": "__console_pub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-1:123456789012:cc-mobile-stack"
    },
    {
      "Sid": "__console_sub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:cc-mobile-stack"
    }
  ]
}

02 Run set-topic-attributes command (OSX/Linux/UNIX) using the ARN of the SNS topic that you want to reconfigure (see Audit section part II to identify the right SNS resource) to replace the existing access control policy with the one defined at the previous step (i.e. secure-publish-policy.json) for the selected AWS SNS topic (the command does not return an output):

aws sns set-topic-attributes
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-mobile-stack
	--attribute-name Policy
	--attribute-value file://secure-publish-policy.json

References

Publication date Mar 16, 2018