Ensure that your AWS Simple Notification Service (SNS) topics do not allow "Everyone" to subscribe. The entities that can subscribe to your SNS topics can be: "Everyone" (anonymous access), users whose endpoint URL, protocol, email address or ARN from a "Subscribe" request match a certain value, specific AWS users or resources and the topic owner. From this list of topic subscribers, you should make sure that the "Everyone" entity is not used with any SNS topics created within your AWS account in order to protect the messages published to your topics against attackers or unauthorized personnel.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When an SNS topic policy grants permission to "Everyone" by using a wildcard, i.e. "*", as the Principal value, the topic security can be at risk as any unauthenticated entity can subscribe and receive messages from the topic publishers, messages that usually should be destined only to known subscribers.
Audit
To determine if there are any SNS topics publicly accessible for subscription within your AWS account, perform the following:
Remediation / Resolution
To update the access control policies attached to the SNS topics that are publicly accessible for subscription and implement the required permissions to secure the exposed topics, perform the following actions:
References
- AWS Documentation
- Amazon SNS FAQs
- Managing Access to Your Amazon SNS Topics
- IAM JSON Policy Elements Reference
- Controlling User Access to Your AWS Account
- Special Information for Amazon SNS Policies
- AWS Policy Generator
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- sns
- list-topics
- get-topic-attributes
- set-topic-attributes
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
SNS Topic Accessible For Subscription
Risk level: Medium