AWS SNS Appropriate Subscribers (Not Scored)
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that all your Amazon SNS subscriptions are periodically reviewed for appropriate subscribers and remove any unwanted subscriber in order to improve access security to your SNS topics.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Review regularly your AWS SNS subscriptions to ensure that only expected (appropriate) recipients receive the information published to your SNS topics.
To determine if there are any unwanted SNS subscribers available within your AWS account, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.
03 In the left navigation panel, under SNS Dashboard, select Subscriptions.
04 Choose the SNS subscription that you want to examine.
05 Evaluate the topic Amazon Resource Name (ARN), available in the Topic ARN column and the endpoint assigned to the subscription, available within Endpoint column, to determine if the subscriber is appropriate and can access/receive the data published to the assigned topic. If the subscriber is evaluated as unwanted, the selected AWS SNS subscription is not appropriate and can be safely removed from your account.
06 Repeat step no. 4 and 5 to evaluate other Amazon SNS subscriptions available in the current region.
07 Change the AWS region from the navigation bar and repeat the audit process for other regions.
01 Run list-subscriptions command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Name for each AWS SNS subscription available in the selected region:
aws sns list-subscriptions --region us-east-1 --query 'Subscriptions[*].SubscriptionArn'
02 The command output should return the requested subscription ARNs:
[ "arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic:12345678-39dc-4669-961b-aaabbbcccddd", "arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic:12345678-603b-4a82-b29d-aaabbbcccddd" ]
03 Run get-subscription-attributes command (OSX/Linux/UNIX) using the subscription ARN returned at the previous step as identifier and custom query filters to describe the configuration attributes of the selected AWS SNS subscription:
aws sns get-subscription-attributes --region us-east-1 --subscription-arn arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic:12345678-39dc-4669-961b-aaabbbcccddd
04 The command output should return the requested attributes:
{
"Attributes": {
"Endpoint": "daniel@cloudconformity.com",
"Protocol": "email",
"RawMessageDelivery": "false",
"ConfirmationWasAuthenticated": "false",
"Owner": "123456789012",
"SubscriptionArn": "arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic:12345678-39dc-4669-961b-aaabbbcccddd",
"TopicArn": "arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic"
}
}
05 Based on the information returned at the previous step, evaluate the topic ARN, available as value for "TopicArn" attribute and the endpoint assigned to the subscription, available as value for "Endpoint" attribute, to determine if the subscriber is appropriate and can receive information published to the assigned topic (in this case arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic). If the subscriber is evaluated as unwanted, the selected Amazon SNS subscription is marked as inappropriate and can be safely removed from your AWS account.
06 Repeat steps no. 3 – 5 to evaluate other Amazon SNS subscriptions available in the current region.
07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 6 to perform the audit process for other regions.
To remove any unwanted SNS subscriptions from your AWS account, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.
03 In the navigation panel, under SNS Dashboard, click Subscriptions.
04 Select the SNS topic subscription that you want to remove (see Audit section part I to identify the right resource).
05 Click Actions button from the dashboard top menu and select Delete subscriptions.
06 Within Delete dialog box, review the SNS subscription ARN, then click Delete to confirm the action. Once the selected subscription is removed, the AWS console will display the following confirmation message: "Subscriptions deleted.".
07 Repeat steps no. 4 - 7 to remove other unwanted Amazon SNS subscriptions available in the selected region.
08 Change the AWS region from the navigation bar and repeat the resolution process for other regions.
01 Run unsubscribe command (OSX/Linux/UNIX) using the ARN of the unwanted subscription that you want to delete as identifier (see Audit section part II to identify the right SNS resource) to remove the selected AWS SNS subscription from your account (the command does not produce an output):
aws sns unsubscribe --region us-east-1 --subscription-arn "arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic:12345678-39dc-4669-961b-aaabbbcccddd"
02 Repeat step no. 1 to remove (unsubscribe) other unwanted Amazon SNS subscriptions created in the selected AWS region.
03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the entire process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat