Amazon Simple Notification Service (SNS)
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. Amazon Simple Notification Service (SNS)

      SNS Topic Global Policies

      This plugin ensures SNS topics do not allow global send or subscribe.

      Risk Level: High

      Description:

      This plugin ensures SNS topics do not allow global send or subscribe. SNS policies should not be configured to allow any AWS user to subscribe or send messages. This could result in data leakage or financial DDoS.

      Configuration Parameters

      SNS Topic Policy Allowed Condition Keys: This parameter denotes a comma-separated list of AWS SNS Topic condition keys that should be allowed. If the policy statement is vulnerable and these keys are present, the issue will not be generated.

      By default, the condition keys mentioned are 'aws:PrincipalArn','aws:PrincipalAccount', 'aws:PrincipalOrgID','aws:SourceAccount', 'aws:SourceArn', 'aws:SourceOwner', 'kms:CallerAccount', 'kms:ViaService', therefore all the statements consisting of these keys will not be scanned.

      About the Service :

      Amazon SNS (Amazon Simple Notification Service) is a managed service that delivers messages from publishers to subscribers (also known as producers and consumers). Publishers communicate with subscribers asynchronously by sending messages to a topic, which serves as a logical access point and communication route for subscribers. Clients can subscribe to the SNS topic and receive published messages through any supported endpoint, including Amazon Kinesis Data Firehose, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messaging (SMS).

      Impact:

      Setting overly permissive policies for your SNS topics by accident (or on purpose) can allow unauthorized users to receive/publish messages and subscribe to the exposed topics. When a root user provides access for an SNS subject to the "Everyone" grantee while testing the notification system, one common scenario is that the root user forgets about the insecure set of permissions provided during the testing stage.

      Steps to reproduce :

      1. Sign in to the AWS Management Console.
      2. Navigate to the SNS dashboard at: https://console.aws.amazon.com/sns/v2/
      3. In the left navigation panel, select Topics.
      4. Select the SNS topic you want to examine.
      5. Under the Access Policy panel, check out the access policy.
      6. If the value of the Principal attribute is set to “*” then the actions mentioned below in the Actions attribute will be exposed to anonymous access.
      7. Repeat steps no. 4 - 6 for other SNS topics in the current region and other regions as well.

      Steps for remediation :

      Adjust the topic policy to only allow authorized AWS users in known accounts to subscribe.

      1. Sign in to the AWS Management Console.
      2. Navigate to the SNS dashboard at: https://console.aws.amazon.com/sns/v2/
      3. In the left navigation panel, select Topics.
      4. Select the SNS topic you want to examine.
      5. Open the Edit topic policy dialog box.
      6. Under the Access Policy, edit the value of the Principal attribute from “*” to the arn of the service.
      7. Repeat steps no. 4 - 6 for other SNS topics in the current region and other regions as well




      References: