Description:
Simple Notification Service - SNS is a web service that enables applications, end-users, and devices to instantly send and receive notifications from the cloud.
SNS topic is a logical access point that acts as a communication channel. It helps to make a group of multiple endpoints ( such as AWS Lambda, Amazon SQS, HTTP/S, or an email address).
Rationale:
Public SNS topics potentially expose existing interfaces to unwanted 3rd parties that can tap into an existing data stream, resulting in data leak to an unwanted party.
Impact:
If SNS topics are public their security can be at risk and attackers/hackers or any third can publish the malicious message to the topic. If SNS topics are public may leak our data or information to an unwanted party. So if they are not public anymore it increases the privacy of our data.
Default Value:
By default, only topic owners have permission to publish or subscribe to a topic
Pre-Requisites:
- Sign in as admin or IAM user with required permissions
- Copy the current policy as backup management
Remediation:
Test plan:
Step 1: Sign in to the AWS Management Console and go to the SNS dashboard https://console.aws.amazon.com/sns/v3
Step 2: Click on Topics in the left navigation pane
Step 3: Select the SNS topic which you want to test plan
Step 4: Click on the Access Policy tab
Step 5: Examine the Access Policy have the following statements
"Effect": "Allow", "Principal": { "AWS": "*"},
"Action": ["SNS:Publish" ],
"Resource": "arn:aws:sns:<region>:<12_digit_id>:icompaas"
and if the policy doesn’t contain any condition clause to filter the access then this SNS topic is exposed to anonymous access.
Using AWS CLI:
To list your SNS topics
aws sns list-topics --region <region> --output table --query 'Topics[]'
To retrieve the attributes of a topic
aws sns get-topic-attributes --region <region> \
--topic-arn <arn:aws:sns:<region>:<id>:<topic_name>
after this program, we get JSON output to examine it
Implementation
Step 1: Sign in to the AWS Management Console and go to the SNS dashboard https://console.aws.amazon.com/sns/v3
Step 2: Click on Topics in the left navigation pane
Step 3: Select the SNS topic which you want to modify and click on Edit
Step 4: Scroll down and go to Access policy click on the show/hide button
Step 5: Replace "Principal": { "AWS" : "*" } with "Principal": { "AWS" : "IAMUSER_ARN" }
OR
Append the condition to the policy, rewrite the policy with the following code
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:ap-south-1:111122223333:Alarms_Topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "111122223333"
}
}
}
]
}
Step 6: Click on save changes
Using AWS CLI:
To apply a filter policy
aws sns set-subscription-attributes --subscription-arn <arn:aws:sns: ...> \
--attribute-name FilterPolicy \
--attribute-value "{"store":["example_corp"],"event":["order_placed"]}"
To add permission to a topic
aws sns add-permission -topic-arn arn:aws:sns:<region>:<id>:<topic_name> \ --label Publish-Permission --aws-account-id <account_id> --action-name Publish
Backout Plan:
Step 1: Sign in to the AWS Management Console and go to the SNS dashboard https://console.aws.amazon.com/sns/v3
Step 2: Click on Topics in the left navigation pane
Step 3: Select the SNS topic which you want to edit
Step 4: Click on the Edit tab
Step 5: Scroll down and go to Access policy click on the show/hide button
Step 6: Before the implementation plan we already copy the default JSON program of the Access policy so we remove the edited policy from the JSON editor and passed the older Access policy into the editor.
To delete the SNS topic follow the steps:
Step 1: Sign in to the AWS Management Console and go to the SNS dashboard https://console.aws.amazon.com/sns/v3
Step 2: Click on Topics in the left navigation pane
Step 3: Select the SNS topic which you want to edit
Reference:
https://docs.aws.amazon.com/sns/latest/dg/welcome.html