Ensure that all your Simple Notification Service (SNS) topics are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using overly permissive policies that allow unknown cross account access to your SNS topics can lead to unauthorized actions such as intercepting and publishing messages or subscribing to the exposed topics. To prevent data leaks and avoid unexpected costs on your AWS bill, grant access only to the trusted accounts by implementing the right SNS policies.
To determine if there are any Amazon Simple Notification Service topics that allow unknown cross account access, perform the following:
To update your Amazon SNS topics policy in order to allow cross account access only from trusted entities, perform the following: