AWS SNS Appropriate Subscribers

Risk Level: Medium (should be achieved)

Rule ID: SNS-003

Ensure that all your Amazon SNS subscriptions are periodically reviewed for appropriate subscribers and remove any unwanted subscriber in order to improve access security to your SNS topics.

This rule can help you with the following compliance standards:

CISAWSF
PCI
NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

Security

Review regularly your AWS SNS subscriptions to ensure that only expected (appropriate) recipients receive the information published to your SNS topics.

Audit

To determine if there are any unwanted SNS subscribers available within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, under SNS Dashboard, select Subscriptions.

04 Choose the SNS subscription that you want to examine.

05 Evaluate the topic Amazon Resource Name (ARN), available in the Topic ARN column and the endpoint assigned to the subscription, available within Endpoint column, to determine if the subscriber is appropriate and can access/receive the data published to the assigned topic. If the subscriber is evaluated as unwanted, the selected AWS SNS subscription is not appropriate and can be safely removed from your account.

06 Repeat step no. 4 and 5 to evaluate other Amazon SNS subscriptions available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-subscriptions command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Name for each AWS SNS subscription available in the selected region:

aws sns list-subscriptions
	--region us-east-1
	--query 'Subscriptions[*].SubscriptionArn'

02 The command output should return the requested subscription ARNs:

[

"arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic:12345678-39dc-4669-961b-aaabbbcccddd",
"arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic:12345678-603b-4a82-b29d-aaabbbcccddd"

]

03 Run get-subscription-attributes command (OSX/Linux/UNIX) using the subscription ARN returned at the previous step as identifier and custom query filters to describe the configuration attributes of the selected AWS SNS subscription:

aws sns get-subscription-attributes
	--region us-east-1
	--subscription-arn arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic:12345678-39dc-4669-961b-aaabbbcccddd

04 The command output should return the requested attributes:

{
    "Attributes": {
        "Endpoint": "daniel@example.com",
        "Protocol": "email",
        "RawMessageDelivery": "false",
        "ConfirmationWasAuthenticated": "false",
        "Owner": "123456789012",
        "SubscriptionArn": "arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic:12345678-39dc-4669-961b-aaabbbcccddd",
        "TopicArn": "arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic"
    }
}

05 Based on the information returned at the previous step, evaluate the topic ARN, available as value for "TopicArn" attribute and the endpoint assigned to the subscription, available as value for "Endpoint" attribute, to determine if the subscriber is appropriate and can receive information published to the assigned topic (in this case arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic). If the subscriber is evaluated as unwanted, the selected Amazon SNS subscription is marked as inappropriate and can be safely removed from your AWS account.

06 Repeat steps no. 3 – 5 to evaluate other Amazon SNS subscriptions available in the current region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 6 to perform the audit process for other regions.

Remediation / Resolution

To remove any unwanted SNS subscriptions from your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel, under SNS Dashboard, click Subscriptions.

04 Select the SNS topic subscription that you want to remove (see Audit section part I to identify the right resource).

05 Click Actions button from the dashboard top menu and select Delete subscriptions.

06 Within Delete dialog box, review the SNS subscription ARN, then click Delete to confirm the action. Once the selected subscription is removed, the AWS console will display the following confirmation message: "Subscriptions deleted.".

07 Repeat steps no. 4 - 7 to remove other unwanted Amazon SNS subscriptions available in the selected region.

08 Change the AWS region from the navigation bar and repeat the resolution process for other regions.

Using AWS CLI

01 Run unsubscribe command (OSX/Linux/UNIX) using the ARN of the unwanted subscription that you want to delete as identifier (see Audit section part II to identify the right SNS resource) to remove the selected AWS SNS subscription from your account (the command does not produce an output):

aws sns unsubscribe
	--region us-east-1
	--subscription-arn "arn:aws:sns:us-east-1:123456789012:cc-web-sns-topic:12345678-39dc-4669-961b-aaabbbcccddd"

02 Repeat step no. 1 to remove (unsubscribe) other unwanted Amazon SNS subscriptions created in the selected AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the entire process for other regions.

References

AWS Documentation
Amazon SNS FAQs
What is Amazon Simple Notification Service?
Clean Up

AWS Command Line Interface (CLI) Documentation
sns
list-subscriptions
get-subscription-attributes
unsubscribe

Publication date Sep 29, 2017

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related SNS rules