Ensure SNS Topics administrative actions aren't publicly executable without a condition

SNS Topics might contain sensitive information or initiate critical tasks. Determine the specific principals the their required actions, and then craft IAM policy with the required permissions.

Risk Level: Critical
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.AWS.IAM.58
Category: Application Integration

GSL LOGIC

SnsTopic should not have policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*') and (Action contain-any ['SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes'  or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic']) and Condition isEmpty()]

REMEDIATION

From Console

  1. Open the Amazon SNS console https://console.aws.amazon.com/sns/
  2. In the left navigation pane, choose Topics.
  3. Choose your Amazon SNS topic's name.
  4. Choose the Edit button.
  5. Expand the Access policy - optional section.
  6. Edit the access policy to grant the required permissions for your use case.(You can also use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html)
  7. In the policy When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
  8. Choose Save Changes.

From CLI

  1. Create a json file with policy statement where, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
  2. Use below CLI Command to update the policy.
aws sns set-topic-attributes --topic-arn TOPIC_ARN --attribute-name policy --attribute-value FILE://UPDATE_ATTRIBUTES.json

From CFT

  1. See below example, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
Resources:
SampleSNSPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Id: __default_policy_ID
Statement:
- Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: "111122223333"
Action:
- SNS:GetTopicAttributes
Resource: arn:aws:sns:us-east-2:444455556666:MyTopic
Condition:
StringEquals:
AWS:SourceOwner: '444455556666'
Topics:
- "arn:aws:sns:us-east-2:444455556666:MyTopic"

From TF

  1. See below example, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
resource "aws_sns_topic_policy" "default" {
	arn = "arn:aws:sns:us-east-2:444455556666:MyTopic"
	policy = data.aws_iam_policy_document.sns_topic_policy.json
}

data "aws_iam_policy_document" "sns_topic_policy" {
	policy_id = "__default_policy_ID"
	statement {
		actions = [
		"SNS:DeleteTopic"
		]
		condition {
			test     = "StringEquals"
			variable = "AWS:SourceOwner"
			values = [
			444455556666,
			]
		}
		effect = "Allow"
		principals {
			type        = "AWS"
			identifiers = ["111122223333"]
		}
		resources = [
		arn:aws:sns:us-east-2:444455556666:MyTopic,
		]
		sid = "__default_statement_ID"
	}
}

References

  1. https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy
  4. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html

SNS Topic

An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS Default Ruleset