Amazon Simple Notification Service (SNS)
  1. Knowledge Base
  2. AWS Knowledge Base
  3. Amazon Simple Notification Service (SNS)

SNS Cross-Account Access

This plugin ensures that cross-account access is prohibited by SNS policies.

Risk Level: MEDIUM

Description:

This plugin ensures that cross-account access is prohibited by SNS policies. To subscribe or send messages, SNS topic policies should be carefully limited. These privileges can be limited using topic policies.

Recommended Action: Update the SNS policy to prevent access from external accounts.

Configuration Parameters

Whitelisted AWS Account Principals: This parameter denotes a comma-separated list of allowed AWS account principals. An issue will be generated if the SNS Policy has Principal other than these specified.

By default, its value is empty. Therefore it will not trust any of the AWS account principals.

Whitelist All AWS Organization Accounts: This parameter implies that all the accounts in the current AWS Organization will be trusted. If set to true, the issue will not be generated if the SNS Policy principal has accounts of the current AWS Organization.

By default, its value is set to false. Therefore, it will not trust any of the AWS organization accounts unless configured under the Whitelisted AWS Account Principals.

About the Service :

Amazon SNS (Amazon Simple Notification Service) is a managed service that delivers messages from publishers to subscribers (also known as producers and consumers). Publishers communicate with subscribers asynchronously by sending messages to a topic, which serves as a logical access point and communication route for subscribers. Clients can subscribe to the SNS topic and receive published messages through any supported endpoint, including Amazon Kinesis Data Firehose, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messaging (SMS).

Impact: 

Using overly permissive settings that allow unknown cross-account access to your SNS topics might lead to unauthorized behaviours including intercepting and publishing messages, as well as subscribing to the exposed topics. If proper SNS policies are not applied, you risk data leaks and unexpected expenditures on your AWS subscription.

Steps to reproduce :

  1. Sign in to the AWS Management Console.
  2. Navigate to the SNS dashboard at: https://console.aws.amazon.com/sns/v2/
  3. In the left navigation panel, select Topics.
  4. Select the SNS topic you want to examine.
  5. Under the Access Policy panel, check out the access policy.
  6. Check the value of the AWS account ID or the AWS account ARN and verify if it is authentic.
  7. If not, then the cross-account access to the selected topic is not secured.
  8. Repeat steps no. 4-7 for other topics in the selected region as well as for other AWS regions

Steps for remediation :

  1. Sign in to the AWS Management Console.
  2. Navigate to the SNS dashboard at: https://console.aws.amazon.com/sns/v2/
  3. In the left navigation panel, select Topics.
  4. Select the SNS topic you want to examine.
  5. Under the Access Policy panel, check out the access policy.
  6. Check the value of the AWS account ID or the AWS account ARN and verify if it is authentic.
  7. Replace the ARN value with an authentic value and Click on Save Changes.
  8. Cross account access is secured for the selected topic.
  9. Repeat steps no. 4-7 for other topics in the selected region as well as for other AWS regions.

References: