Identify any publicly accessible SNS topics and implement the necessary permissions in order to protect them against attackers or unauthorized personnel.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Setting accidentally (or intentionally) overly permissive policies for your SNS topics can allow unauthorized users to receive/publish messages and subscribe to the exposed topics. One common scenario is when a root user grants permissions for an SNS topic to the "Everyone" grantee while testing the notification system and forgets about the insecure set of permissions applied during the testing stage.
Audit
To determine if there are any exposed SNS topics within your AWS account, perform the following:
Remediation / Resolution
To update the policies and implement the required permissions to secure any exposed SNS topics, perform the following:
References
- AWS Documentation
- Amazon SNS FAQs
- Managing Access to Your Amazon SNS Topics
- Special Information for Amazon SNS Policies
- IAM Policy Elements Reference
- Controlling User Access to Your AWS Account
- Example Cases for Amazon SNS Access Control
- AWS Policy Generator
- AWS Command Line Interface (CLI) Documentation
- sns
- list-topics
- get-topic-attributes
- remove-permission
- add-permission
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
SNS Topic Exposed
Risk level: High