AWS SNS Topic is Exposed to Public
Description:
An Amazon Simple Notification Service (SNS) topic should have controlled access to ensure that only authorized services and individuals can publish or subscribe to the topic. An SNS topic that is exposed to the public may be at risk of receiving unwanted messages, which could lead to unexpected costs or be used as a vector for denial-of-service attacks.
Remediation:
1. Update the SNS Topic Policy to Restrict Access:
AWS Management Console:
- Navigate to the SNS service.
- Select Topics from the left pane.
- Click on the topic you want to secure.
- In the Details section, under Topic policy, update the JSON to ensure that there are no statements with
"Effect": "Allow"and"Principal": "*"unless they're specifically scoped to a specific action and condition that you intend.
AWS CLI:
To view the current policy of an SNS topic:
aws sns get-topic-attributes --topic-arn <YOUR-TOPIC-ARN>
Based on the output, update the policy to restrict access and then set the updated policy:
aws sns set-topic-attributes --topic-arn <YOUR-TOPIC-ARN> --attribute-name Policy --attribute-value '<YOUR-UPDATED-POLICY>'
Replace <YOUR-TOPIC-ARN> with your SNS topic's ARN and <YOUR-UPDATED-POLICY> with the updated policy in JSON format.
Terraform:
resource "aws_sns_topic" "example" {
name = "example"
# ... other configurations ...
policy = jsonencode({
Version = "2012-10-17"
Id = "EnsureLimitedPublicAccess"
Statement = [
{
Sid = "AllowOnlySpecificAccess"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::ACCOUNT_ID:root"
}
Action = [
"SNS:Publish",
"SNS:Receive"
]
Resource = aws_sns_topic.example.arn
}
]
})
}
Replace ACCOUNT_ID with your AWS account ID.
Recommendation:
Always review and restrict the permissions granted to your SNS topics. Ensure that topics are not unintentionally exposed to the public or wider audience than necessary. Regularly audit your topic policies and use the principle of least privilege to grant permissions.
Updated 5 months ago