Open menu
-->

SNS Topics Publicly Accessible For Subscription

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your AWS Simple Notification Service (SNS) topics do not allow "Everyone" to subscribe. The entities that can subscribe to your SNS topics can be: "Everyone" (anonymous access), users whose endpoint URL, protocol, email address or ARN from a "Subscribe" request match a certain value, specific AWS users or resources and the topic owner. From this list of topic subscribers, you should make sure that the "Everyone" entity is not used with any SNS topics created within your AWS account in order to protect the messages published to your topics against attackers or unauthorized personnel.

When an SNS topic policy grants permission to "Everyone" by using a wildcard, i.e. "*", as the Principal value, the topic security can be at risk as any unauthenticated entity can subscribe and receive messages from the topic publishers, messages that usually should be destined only to known subscribers.

Audit

To determine if there are any SNS topics publicly accessible for subscription within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/

03 In the left navigation panel, select Topics.

04 Select the Amazon SNS topic that you want to examine.

05 Click the Actions button from the dashboard top menu and select the Edit topic policy option.

06 Inside the Edit topic policy dialog box, perform one of the following actions:

  1. Select Basic view tab to examine the selected topic policy defined using the basic editor. Within Allow these users to subscribe to this topic section, check the entity allowed to subscribe to the topic. If the entity is "Everyone", the selected AWS SNS topic is exposed to anonymous access, therefore any unauthenticated user can subscribe and receive messages from the selected topic publishers.
  2. Select the Advanced View tab to examine the topic policy document defined using the advanced editor. Inside the policy document box, search for statements with the following combination of elements: "Effect": "Allow", "Principal": { "AWS":"*" }, "Action": [ "SNS:Subscribe", "SNS:Receive" ], "Resource":" <SNS_TOPIC_ARN>". If the policy statements contain the specified combination, without using Condition clauses to filter the access to the selected SNS resource, the selected AWS SNS topic is exposed to anonymous access.

07 Repeat steps no. 4 – 6 to verify the access control policy for other SNS topics, provisioned in the selected AWS region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to list the ARNs of all the SNS topics available in the selected AWS region:

aws sns list-topics
	--region us-east-1
	--output table
	--query 'Topics[]'

02 The command output should return a table with the requested topic ARNs:

----------------------------------------------------------
|                      ListTopics                        |
+--------------------------------------------------------+
|                       TopicArn                         |
+--------------------------------------------------------+
| arn:aws:sns:us-east-1:123456789012:cc-web-app-topic    |
| arn:aws:sns:us-east-1:123456789012:cc-mobile-app-topic |
+--------------------------------------------------------+

03 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN of the SNS topic that you want to examine as identifier to return the policy attached to the selected SNS resource:

aws sns get-topic-attributes
	--region us-east-1
	--topic-arn "arn:aws:sns:us-east-1:123456789012:cc-web-app-topic"
	--query 'Attributes.Policy'

04 The command output should return the topic policy document:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [

    ...

    {
      "Sid": "__console_sub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:cc-web-app-topic"
    },

    ...

  ]
}


Within the policy document returned by the get-topic-attributes command output, search for statements with the following combination of elements: "Effect": "Allow", "Principal": { "AWS":"*" }, "Action": [ "SNS:Subscribe", "SNS:Receive" ], "Resource":" <SNS_TOPIC_ARN>". If the policy statements contain the specified combination, as shown in the example above, without using Condition clauses to filter the access to the resource such as "Condition": { "StringEquals": { "AWS:SourceOwner": "<AWS_ACCOUNT_ID>" }, the selected AWS SNS topic is publicly accessible for subscription and exposed to anonymous users.

05 Repeat step no. 3 and 4 to verify the access control policy for other SNS topics, available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To update the access control policies attached to the SNS topics that are publicly accessible for subscription and implement the required permissions to secure the exposed topics, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, select Topics.

04 Select the AWS SNS topic that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click the Actions button from the dashboard top menu and select Edit topic policy.

06 Inside the Edit topic policy dialog box, perform one of the following actions:

  1. Select the Basic View tab to update the access policy with the basic editor and within Allow these users to subscribe to this topic section, set the following:
    • Select Only me (topic owner) to limit all the subscription requests to the topic owner only.
    • Select Only these AWS users and provide valid AWS account IDs to limit subscription to those specified AWS accounts only.
    • Select Only users with endpoints that match and type valid endpoints (email addresses, application URLs, etc) to limit subscribing only to the specified endpoints.
    • In the Using these delivery protocols section, select any delivery protocols required for subscription requests.
  2. Select the Advanced View tab and paste your own custom policy document to update the topic permissions based on your requirements. Make sure that you replace the Principal element value (i.e "AWS": "*") with specific (trusted) AWS users, e.g. replace "Principal": { "AWS" : "*" } with "Principal": { "AWS" : "IAM_USER_ARN" }, or use the existing Principal elements together with Condition clauses to filter the user access. You can create custom SNS policies using the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html

07 Click Update policy to apply the new topic permissions.

08 Repeat step no. 4 – 7 for each SNS topic available in the current AWS region.

09 Change the AWS region from the navigation bar to repeat the process for the other regions.

Using AWS CLI

01 First, you need to update (redefine) the necessary access control policy by replacing the Principal element current value (i.e "AWS": "*") with trusted IAM user ARNs, e.g. replacing "Principal": { "AWS" : "*" } with "Principal": { "AWS" : "IAM_USER_ARN" }. Save the redefined policy within a JSON document named "secure-subscribe-policy.json". For the following access control policy example, only the AWS IAM user identified by the ARN "arn:aws:iam::123456789012:root" (highlighted) can subscribe to the SNS topic:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:Receive",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:cc-web-app-topic",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "123456789012"
        }
      }
    },
    {
      "Sid": "__console_sub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:123456789012:cc-web-app-topic"
    }
  ]
}

02 Run set-topic-attributes command (OSX/Linux/UNIX) using the ARN of the SNS topic that you want to reconfigure (see Audit section part II to identify the right SNS resource) to replace the existing access control policy with the one defined at the previous step (i.e. secure-subscribe-policy.json) for the selected AWS SNS topic (the command does not produce an output):

aws sns set-topic-attributes
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-web-app-topic
	--attribute-name Policy
	--attribute-value file://secure-subscribe-policy.json

References

Publication date Mar 16, 2018