Identify any publicly accessible Amazon SNS topics and update their permissions in order to protect against attackers and unauthorized personnel.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing anonymous users to have access to your Amazon SNS topics can lead to unauthorized actions such as intercepting and receiving/publishing messages without permission. One common scenario is when the topic owner grants permissions to everyone by setting the Principal to "Everyone" (i.e. "*") while testing the SNS messaging system configuration and the insecure set of permissions reach into production. To avoid data leakage and unexpected costs on your AWS bill, limit access to your SNS topics by implementing the right permissions.
Audit
To determine if your Amazon SNS topics are publicly accessible, perform the following operations:
Remediation / Resolution
To update the associated access policy and set the appropriate permissions in order to secure the access to your exposed Amazon SNS topic, perform the following operations:
References
- AWS Documentation
- Amazon SNS FAQs
- Identity and access management in Amazon SNS
- Amazon SNS API permissions: Actions and resources reference
- IAM JSON policy elements reference
- Using identity-based policies with Amazon SNS
- Example cases for Amazon SNS access control
- AWS Command Line Interface (CLI) Documentation
- sns
- list-topics
- get-topic-attributes
- set-topic-attributes
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
SNS Topic Exposed
Risk Level: High