Ensure SNS Topics administrative actions aren't publicly executable without a condition
SNS Topics might contain sensitive information or initiate critical tasks. Determine the specific principals the their required actions, and then craft IAM policy with the required permissions.
Risk Level: Critical
Cloud Entity: SNS Topic
CloudGuard Rule ID: D9.AWS.IAM.58
Category: Application Integration
GSL LOGIC
SnsTopic should not have policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*') and (Action contain-any ['SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic']) and Condition isEmpty()]
REMEDIATION
From Console
- Open the Amazon SNS console https://console.aws.amazon.com/sns/
- In the left navigation pane, choose Topics.
- Choose your Amazon SNS topic's name.
- Choose the Edit button.
- Expand the Access policy - optional section.
- Edit the access policy to grant the required permissions for your use case.(You can also use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html)
- In the policy When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
- Choose Save Changes.
From CLI
- Create a json file with policy statement where, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
- Use below CLI Command to update the policy.
aws sns set-topic-attributes --topic-arn TOPIC_ARN --attribute-name policy --attribute-value FILE://UPDATE_ATTRIBUTES.json
From CFT
- See below example, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
Resources:
SampleSNSPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Id: __default_policy_ID
Statement:
- Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: "111122223333"
Action:
- SNS:GetTopicAttributes
Resource: arn:aws:sns:us-east-2:444455556666:MyTopic
Condition:
StringEquals:
AWS:SourceOwner: '444455556666'
Topics:
- "arn:aws:sns:us-east-2:444455556666:MyTopic"
From TF
- See below example, When Effect is 'Allow' and Action contains one of the following- 'SNS:GetTopicAttributes' or 'SNS:SetTopicAttributes' or 'SNS:AddPermission' or 'SNS:RemovePermission' or 'SNS:DeleteTopic' or 'SNS:ListSubscriptionsByTopic' , Make sure you DO NOT mention Principal='' or Principal.AWS='' , and add make sure you add a condition in the policy statement.
resource "aws_sns_topic_policy" "default" {
arn = "arn:aws:sns:us-east-2:444455556666:MyTopic"
policy = data.aws_iam_policy_document.sns_topic_policy.json
}
data "aws_iam_policy_document" "sns_topic_policy" {
policy_id = "__default_policy_ID"
statement {
actions = [
"SNS:DeleteTopic"
]
condition {
test = "StringEquals"
variable = "AWS:SourceOwner"
values = [
444455556666,
]
}
effect = "Allow"
principals {
type = "AWS"
identifiers = ["111122223333"]
}
resources = [
arn:aws:sns:us-east-2:444455556666:MyTopic,
]
sid = "__default_statement_ID"
}
}
References
- https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html
SNS Topic
An Amazon SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints (such as AWS Lambda, Amazon SQS, HTTP/S, or an email address). To broadcast the messages of a message-producer system (for example, an e-commerce website) working with multiple other services that require its messages (for example, checkout and fulfillment systems), you can create a topic for your producer system.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS Security Risk Management
- CloudGuard AWS Default Ruleset
Updated over 1 year ago