Description:

Simple Notification Service - SNS is a web service that enables applications, end-users, and devices to instantly send and receive notifications from the cloud.

SNS topic is a logical access point that acts as a communication channel. It helps to make a group of multiple endpoints ( such as AWS Lambda, Amazon SQS, HTTP/S, or an email address).


Rationale:

Public SNS topics potentially expose existing interfaces to unwanted 3rd parties that can tap into an existing data stream, resulting in data leak to an unwanted party. 


Impact:

If SNS topics are public their security can be at risk and attackers/hackers or any third can publish the malicious message to the topic.  If SNS topics are public may leak our data or information to an unwanted party. So if they are not public anymore it increases the privacy of our data.


Default Value:

By default, only topic owners have permission to publish or subscribe to a topic 


Pre-Requisites:

  • Sign in as admin or IAM user with required permissions
  • Copy the current policy as backup management


Remediation:


Test plan:

Step 1: Sign in to the AWS Management Console and go to the SNS dashboard https://console.aws.amazon.com/sns/v3

Step 2: Click on Topics in the left navigation pane

Step 3: Select the SNS topic which you want to test plan


Step 4:  Click on the Access Policy tab 

Step 5:  Examine the Access Policy have the following statements

"Effect": "Allow", "Principal": { "AWS": "*"}, 

"Action": ["SNS:Publish" ],

"Resource": "arn:aws:sns:<region>:<12_digit_id>:icompaas"

and if the policy doesn’t contain any condition clause to filter the access then this SNS topic is exposed to anonymous access. 


Using AWS CLI:

To list your SNS topics

aws sns list-topics --region <region> --output table --query 'Topics[]'

To retrieve the attributes of a topic 

aws sns get-topic-attributes --region <region> \
--topic-arn <arn:aws:sns:<region>:<id>:<topic_name>

after this program, we get JSON output to examine it  

 

Implementation


Step 1: Sign in to the AWS Management Console and go to the SNS dashboard https://console.aws.amazon.com/sns/v3

Step 2: Click on Topics in the left navigation pane

Step 3: Select the SNS topic which you want to modify and click on Edit  

Step 4: Scroll down and go to Access policy click on the show/hide button 


 


Step 5: Replace "Principal": { "AWS" : "*" } with "Principal": { "AWS" : "IAMUSER_ARN" }
OR

Append the condition to the policy, rewrite the policy with the following code

{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:ap-south-1:111122223333:Alarms_Topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "111122223333"
}
}
}
]
}

Step 6: Click on save changes 

Using AWS CLI:


To apply a filter policy  

aws sns set-subscription-attributes --subscription-arn <arn:aws:sns: ...> \
--attribute-name FilterPolicy \
--attribute-value "{"store":["example_corp"],"event":["order_placed"]}"


To add permission to a topic

aws sns add-permission -topic-arn arn:aws:sns:<region>:<id>:<topic_name> \
--label Publish-Permission --aws-account-id <account_id> --action-name Publish


Backout Plan:


Step 1: Sign in to the AWS Management Console and go to the SNS dashboard https://console.aws.amazon.com/sns/v3

Step 2: Click on Topics in the left navigation pane

Step 3: Select the SNS topic which you want to edit

Step 4:  Click on the Edit tab 

Step 5: Scroll down and go to Access policy click on the show/hide button 

Step 6: Before the implementation plan we already copy the default JSON program of the Access policy so we remove the edited policy from the JSON editor and passed the older Access policy into the editor.


To delete the SNS topic follow the steps:

Step 1: Sign in to the AWS Management Console and go to the SNS dashboard https://console.aws.amazon.com/sns/v3

Step 2: Click on Topics in the left navigation pane

Step 3: Select the SNS topic which you want to edit


Reference:

https://docs.aws.amazon.com/sns/latest/dg/welcome.html 

  1. Creating an Amazon SNS topic - Amazon Simple Notification Service 

  2. What is Amazon SNS? - Amazon Simple Notification Service 

  3. Permissions for the Amazon SNS Topic - Amazon Config 

  4. sns — AWS CLI 1.22.73 Command Reference