AWS SNS Topic is Accessible to Public Subscription

Description:

An Amazon Simple Notification Service (SNS) topic that is accessible for public subscriptions can be potentially abused by unauthorized entities, leading to unintended subscribers receiving published messages. This poses risks of data leakage and increases potential costs.

Remediation:

1. Update the SNS Topic Policy to Prevent Public Subscriptions:

AWS Management Console:
  • Navigate to the SNS service.
  • Select Topics from the left pane.
  • Click on the topic you want to secure.
  • In the Details section, under Topic policy, update the JSON to ensure that there are no statements with "Effect": "Allow", "Principal": "*" and "Action": "sns:Subscribe" unless they're specifically intended.
AWS CLI:

To view the current policy of an SNS topic:

aws sns get-topic-attributes --topic-arn <YOUR-TOPIC-ARN>

Based on the output, update the policy to prevent public subscriptions and then set the updated policy:

aws sns set-topic-attributes --topic-arn <YOUR-TOPIC-ARN> --attribute-name Policy --attribute-value '<YOUR-UPDATED-POLICY>'

Replace <YOUR-TOPIC-ARN> with your SNS topic's ARN and <YOUR-UPDATED-POLICY> with the updated policy in JSON format.

Terraform:
resource "aws_sns_topic" "example" {
  name = "example"
  # ... other configurations ...

  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "PreventPublicSubscription"
    Statement = [
      {
        Sid       = "DisallowPublicSubscription"
        Effect    = "Deny"
        Principal = "*"
        Action    = "sns:Subscribe"
        Resource  = aws_sns_topic.example.arn
      },
      {
        Sid       = "AllowSpecificAccess"
        Effect    = "Allow"
        Principal = {
          AWS = "arn:aws:iam::ACCOUNT_ID:root"
        }
        Action    = [
          "SNS:Publish",
          "SNS:Receive"
        ]
        Resource  = aws_sns_topic.example.arn
      }
    ]
  })
}

Replace ACCOUNT_ID with your AWS account ID.

Recommendation:

Ensure that SNS topics are not accessible to public subscriptions. Regularly audit your topic policies and practice the principle of least privilege when granting permissions. Consider setting up CloudWatch alarms or AWS Config rules to alert on public SNS topic configurations.

Updated 5 months ago