Amazon_SNS_9

Ensure SNS Topics administrative actions aren't publicly executable without a condition

Description

SNS Topics might contain sensitive information or initiate critical tasks. Determine the specific principals the their required actions, and then craft IAM policy with the required permissions.

Remediation

From Console:
1. Open the Amazon SNS console https://console.aws.amazon.com/sns/
2. In the left navigation pane, choose Topics.
3. Choose your Amazon SNS topic’s name.
4. Choose the Edit button.
5. Expand the Access policy – optional section.
6. Edit the access policy to grant the required permissions for your use case.(You can also use AWS policy generator tool: https://awspolicygen.s3.amazonaws.com/policygen.html)
7. In the policy When Effect is ‘Allow’ and Action contains one of the following- ‘SNS:GetTopicAttributes’ or ‘SNS:SetTopicAttributes’ or ‘SNS:AddPermission’ or ‘SNS:RemovePermission’ or ‘SNS:DeleteTopic’ or ‘SNS:ListSubscriptionsByTopic’ , Make sure you DO NOT mention Principal=’*’ or Principal.AWS=’*’ , and add make sure you add a condition in the policy statement.
8. Choose Save Changes.

From CLI:
1. Create a json file with policy statement where, When Effect is ‘Allow’ and Action contains one of the following- ‘SNS:GetTopicAttributes’ or ‘SNS:SetTopicAttributes’ or ‘SNS:AddPermission’ or ‘SNS:RemovePermission’ or ‘SNS:DeleteTopic’ or ‘SNS:ListSubscriptionsByTopic’ , Make sure you DO NOT mention Principal=’*’ or Principal.AWS=’*’ , and add make sure you add a condition in the policy statement.
2. Use below CLI Command to update the policy.
aws sns set-topic-attributes –topic-arn TOPIC_ARN –attribute-name policy –attribute-value FILE://UPDATE_ATTRIBUTES.json

From CFT:
1. See below example, When Effect is ‘Allow’ and Action contains one of the following- ‘SNS:GetTopicAttributes’ or ‘SNS:SetTopicAttributes’ or ‘SNS:AddPermission’ or ‘SNS:RemovePermission’ or ‘SNS:DeleteTopic’ or ‘SNS:ListSubscriptionsByTopic’ , Make sure you DO NOT mention Principal=’*’ or Principal.AWS=’*’ , and add make sure you add a condition in the policy statement.

Resources:
SampleSNSPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Version: ‘2012-10-17’
Id: __default_policy_ID
Statement:
– Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: “111122223333”
Action:
– SNS:GetTopicAttributes
Resource: arn:aws:sns:us-east-2:444455556666:MyTopic
Condition:
StringEquals:
AWS:SourceOwner: ‘444455556666’
Topics:
– “arn:aws:sns:us-east-2:444455556666:MyTopic”

From TF:
1. See below example, When Effect is ‘Allow’ and Action contains one of the following- ‘SNS:GetTopicAttributes’ or ‘SNS:SetTopicAttributes’ or ‘SNS:AddPermission’ or ‘SNS:RemovePermission’ or ‘SNS:DeleteTopic’ or ‘SNS:ListSubscriptionsByTopic’ , Make sure you DO NOT mention Principal=’*’ or Principal.AWS=’*’ , and add make sure you add a condition in the policy statement.
resource “aws_sns_topic_policy” “default” {
arn = “arn:aws:sns:us-east-2:444455556666:MyTopic”
policy = data.aws_iam_policy_document.sns_topic_policy.json
}
data “aws_iam_policy_document” “sns_topic_policy” {
policy_id = “__default_policy_ID”
statement {
actions = [
“SNS:DeleteTopic”
]
condition {
test = “StringEquals”
variable = “AWS:SourceOwner”
values = [
444455556666,
]
}
effect = “Allow”
principals {
type = “AWS”
identifiers = [“111122223333”]
}
resources = [
arn:aws:sns:us-east-2:444455556666:MyTopic,
]
sid = “__default_statement_ID”
}
}

Reference:
1.https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html
2.https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html
3.https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy
4.https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html

Service

SNS

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!