Ensure that your AWS Simple Notification Service (SNS) topics do not allow "Everyone" to subscribe. The entities that can subscribe to your SNS topics can be: "Everyone" (anonymous access), users whose endpoint URL, protocol, email address or ARN from a "Subscribe" request match a certain value, specific AWS users or resources and the topic owner. From this list of topic subscribers, you should make sure that the "Everyone" entity is not used with any SNS topics created within your AWS account in order to protect the messages published to your topics against attackers or unauthorized personnel.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When an SNS topic policy grants permission to "Everyone" by using a wildcard, i.e. "*", as the Principal value, the topic security can be at risk as any unauthenticated entity can subscribe and receive messages from the topic publishers, messages that usually should be destined only to known subscribers.
To determine if there are any SNS topics publicly accessible for subscription within your AWS account, perform the following:
To update the access control policies attached to the SNS topics that are publicly accessible for subscription and implement the required permissions to secure the exposed topics, perform the following actions: