Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

AWS SNS Topics with Unsecured Policies

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

Ensure that your AWS SNS topics are not using access control policies that allow HTTP subscriptions in order to protect against subscription requests that are not encrypted over the network.

Security

When Amazon SNS topic access policies are configured to use HTTP instead of HTTPS as delivery protocol, the communication between AWS and the SNS subscription endpoints is vulnerable to eavesdropping and man-in-the-middle (MITM) attacks. Cloud Conformity strongly recommends enforcing HTTPS-only subscription by denying all regular (unencrypted) HTTP subscription requests using topic policies.

Audit

To determine if your AWS SNS topics are using unsecured access policies, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, under SNS Dashboard, select Topics.

04 Select the SNS topic that you want to examine.

05 Click the Actions dropdown button from the dashboard top menu and select Edit topic policy to access the SNS topic policy.

06 Inside the Edit topic policy dialog box, select Basic view tab and verify the subscription protocols enabled within the delivery protocols section:

Delivery Protocol Section

If the HTTP protocol is enabled i.e.

HTTP Protocol enable

instead of the HTTPS one, the access policy implemented for the selected Amazon SNS topic is not well secured, therefore the SNS subscription requests made to the existing endpoints are not encrypted over the network.

07 Repeat steps no. 4 - 6 to verify the access control policy for other SNS topics available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run list-topics command (OSX/Linux/UNIX) to retrieve the list with all the SNS topics available in the selected region and their Amazon Resource Names (ARNs): 

aws sns list-topics
	--region us-east-1

02 The command output should return the requested SNS topic ARNs: 

{
   "Topics": [
     {
        "TopicArn": "arn:aws:sns:us-east-1:
                     123456789012:cloud-conformity-sns-topic"
     },
     {
        "TopicArn": "arn:aws:sns:us-east-1:
                     123456789012:aws-cloudtrail-sns-topic"
     }
   ]
}

03 Run get-topic-attributes command (OSX/Linux/UNIX) to list the selected SNS topic policy using custom query filters and the ARN returned at the previous step as resource identifier: 

aws sns get-topic-attributes
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:cloud-conformity-sns-topic
	--query 'Attributes.Policy'

04 The command output should return the SNS topic policy document in JSON format: 

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:Receive",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "arn:aws:sns:us-east-1: ... ",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "123456789012"
        }
      }
    },
    {
      "Sid": "__console_sub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1: ... ",
      "Condition": {
        "StringEquals": {
          "SNS:Protocol": "http"
        }
      }
    }
  ]
}

Identify the Effect and SNS:Protocol elements defined within the policy statement and verify their value(s). If the Effect value is set to "Allow" and the SNS:Protocol contains the "http" value instead of "https" (as shown in the example above) or the Effect element is set to "Deny" and the SNS:Protocol contains the "https" value, only the HTTP delivery protocol is enabled, therefore the access policy defined for the selected Amazon SNS topic is not secured, allowing unencrypted subscription requests to be made to the existing SNS subscription endpoints.

05 Repeat step no. 3 and 4 to verify the access control policy for other SNS topics available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To update your Amazon SNS topic policies in order to enforce HTTPS-only subscription, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel select Topics.

04 Click on the SNS topic that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click the Actions dropdown button from the dashboard top menu and select Edit topic policy.

06 Inside the Edit topic policy dialog box, select Basic view tab to configure the topic policy via AWS Management Console.

07 Next to Using these delivery protocols uncheck HTTP checkbox and check the HTTPS one:

HTTPS check to enforce HTTPS-only subscriptions to the selected SNS topic endpoints.

08 Click Update policy to apply the changes. The AWS SNS dashboard should display now the "Successfully edited topic policy." confirmation message.

09 Repeat steps no. 4 - 8 to update the access policy for other SNS topics available in the current region in order to deny all HTTP subscription requests and allow only HTTPS requests.

10 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 First, edit your Amazon SNS topic access policy and replace the SNS delivery protocol HTTP value with HTTPS, i.e. "SNS:Protocol": "https", then save the policy in a JSON document (e.g. sns-secure-access-policy.json). Make sure that the SNS_TOPIC_ARN and AWS_ACCOUNT_ID placeholder values (highlighted) are replaced with your own values: 

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:Receive",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "SNS_TOPIC_ARN",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "AWS_ACCOUNT_ID"
        }
      }
    },
    {
      "Sid": "__console_sub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "SNS_TOPIC_ARN",
      "Condition": {
        "StringEquals": {
          "SNS:Protocol": "https"
        }
      }
    }
  ]
}

02 Run set-topic-attributes command (OSX/Linux/UNIX) using the ARN of the SNS topic that you want to reconfigure (see Audit section part II to identify the right SNS resource) to replace the existing access policy with the one defined at the previous step, i.e. sns-secure-access-policy.json, (the command does not produce an output): 

aws sns set-topic-attributes
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:cloud-conformity-sns-topic
	--attribute-name Policy
	--attribute-value file://sns-secure-access-policy.json

03 Repeat step no. 1 and 2 to update the access policy for other SNS topics created in the current region in order to enforce HTTPS-only subscription to the topics endpoints.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the remediation/resolution process for other regions.

References

Publication date Feb 24, 2017

Related SNS rules