Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

AWS SNS HTTP Subscriptions

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that none of the Amazon SNS subscriptions created within your AWS account are using HTTP instead of HTTPS as delivery protocol in order to enforce SSL encryption for all subscription requests.

Security

When an AWS SNS subscription is configured to utilize the HTTP protocol instead of HTTPS, the communication between Amazon and the subscription endpoint is vulnerable to malicious activity such as eavesdropping and network sniffing. Cloud Conformity strongly recommends using only HTTPS-based subscriptions by implementing secure SNS topic policies and favor HTTPS over HTTP during the subscription creation process.

Audit

To determine if your AWS SNS subscriptions are using HTTP instead of HTTPS as delivery protocol, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, under SNS Dashboard, select Subscriptions.

04 Choose the SNS subscription that you want to examine and verify the protocol used, listed in in Protocol column:

Protocol Column

If the protocol value is set to http, the selected Amazon SNS subscription is configured to allow unencrypted requests, therefore the communication between AWS and the subscription endpoint is vulnerable to eavesdropping attacks.

05 Repeat step no. 4 - 6 to verify the delivery protocol for other Amazon SNS subscriptions available in the current region.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-subscriptions command (OSX/Linux/UNIX) with custom query filters to list the ARN (Amazon Resource Name) for each AWS SNS subscription available in the selected region: 

aws sns list-subscriptions
	--region us-east-1
	--query 'Subscriptions[*].SubscriptionArn'

02 The command output should return the requested SNS topic ARNs: 

[

    "arn:aws:sns:us-east-1:123456789012:mobile-web-sns-topic:
     f6759ab3-59b5-4a32-bef4-e64582b115e0",
    "arn:aws:sns:us-east-1:123456789012:mobile-web-sns-topic:
     b8469da9-58b6-1c81-de5c-e3619251ac01"

]

03 Run get-subscription-attributes command (OSX/Linux/UNIX) using the subscription ARN returned at the previous step as identifier and custom query filters to expose the delivery protocol used by the selected AWS SNS subscription: 

aws sns get-subscription-attributes
	--region us-east-1
	--subscription-arn arn:aws:sns:us-east-1:123456789012:mobile-web-sns-topic:f6759ab3-59b5-4a32-bef4-e64582b115e0
	--query 'Attributes.Protocol'

04 The command output should return the requested SNS subscription protocol: 

"http"

If the value returned by the get-subscription-attributes command is "http", the selected Amazon SNS subscription is configured to use the HTTP protocol instead of HTTPS (secure) protocol, therefore the communication between AWS and the subscription endpoint is vulnerable to malicious activity.

05 Repeat step no. 3 and 4 to verify the delivery protocol used by other Amazon SNS subscriptions created within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To implement the HTTPS protocol within your existing Amazon SNS subscriptions configuration you need to re-create and confirm these subscriptions by performing the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel, under SNS Dashboard, click Subscriptions.

04 Select the SNS topic subscription that you want to re-create (see Audit section part I to identify the right resource) and copy the Topic ARN value together with the subscription Endpoint.

05 Click Create subscription button from the dashboard top menu to re-create the necessary subscription.

06 Within Create subscription dialog box, perform the following:

  1. Inside the Topic ARN box, paste the SNS topic ARN copied at step no. 4.
  2. Select HTTPS from the Protocol dropdown list.
  3. Paste the URL endpoint copied at step no. 4 in the Endpoint box.
  4. Click Create Subscription to generate the new SNS subscription.
  5. Click Close for the "Subscription request received!" message.

07 Once your new SNS subscription is confirmed, you can remove the original (unencrypted) subscription from your AWS account by performing the following commands:

  1. Select the SNS topic subscription that you want to delete.
  2. Click the Actions button from the dashboard top menu and select Delete subscription.
  3. Inside the Delete dialog box, review the subscription details then click Delete to confirm the action.

08 Repeat steps no. 4 - 7 to implement the HTTPS protocol for other Amazon SNS subscriptions available in the selected region.

09 Change the AWS region from the navigation bar and repeat the resolution process for other regions.

Using AWS CLI

01 Get the configuration details from the existing SNS topic subscription, required for the next step. Run get-subscription-attributes command (OSX/Linux/UNIX) using the ARN of the subscription that you want to re-create (see Audit section part II to identify the right resource), to describe all its configuration details: 

aws sns get-subscription-attributes
	--region us-east-1
	--subscription-arn arn:aws:sns:us-east-1:123456789012:mobile-web-sns-topic:f6759ab3-59b5-4a32-bef4-e64582b115e0

02 The command output should return the requested subscription configuration attributes: 

{
    "Attributes": {
        "Endpoint": "http://cloudconformity.com",
        "Protocol": "http",
        "RawMessageDelivery": "false",
        "ConfirmationWasAuthenticated": "true",
        "Owner": "123456789012",
        "SubscriptionArn": "arn:aws:sns:us-east-1:123456789012:
         mobile-web-sns-topic:f6759ab3-59b5-4a32-bef4-e64582b115e0",
        "TopicArn": "arn:aws:sns:us-east-1:123456789012:
         cloud-conformity-sns-topic"
    }
}

03 Run subscribe command (OSX/Linux/UNIX) using the configuration details returned at the previous step to re-create the original SNS topic subscription with the HTTPS delivery protocol by sending a confirmation message to the notification-endpoint (in this case the endpoint used as example is https://cloudconformity.com): 

aws sns subscribe
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:cloud-conformity-sns-topic
	--protocol https
	--notification-endpoint https://cloudconformity.com

04 The command output should return the "pending confirmation" status: 

{
    "SubscriptionArn": "pending confirmation"
}

05 Now run confirm-subscription command (OSX/Linux/UNIX) to confirm the newly created subscription by validating the token sent to the notification endpoint selected (the command does not produce an output): 

aws sns confirm-subscription
	--topic-arn arn:aws:sns:us-east-1:123456789012:cloud-conformity-sns-topic
	--token 59302192f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc858d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da350761

06 Once your new SNS subscription is confirmed, you can delete the original one from your AWS account by executing unsubscribe command (OSX/Linux/UNIX) with the subscription ARN as identifier (the command does not produce an output): 

aws sns unsubscribe
--subscription-arn "arn:aws:sns:us-east-1:123456789012:mobile-web-sns-topic:f6759ab3-59b5-4a32-bef4-e64582b115e0"

07 Repeat steps no. 1 – 6 to implement the HTTPS protocol for other Amazon SNS subscriptions created in the selected region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the entire process for other regions.

References

Publication date Feb 24, 2017

Related SNS rules