Profile Applicability:

  • Level 1

Description:

AWS Directory Service (DS) supports integration with Amazon Simple Notification Service (SNS) to send alerts and notifications for directory events such as status changes, failures, and important updates. Enabling SNS notifications ensures that administrators are promptly informed about any critical events related to directory health, security incidents, or configuration changes.

This check verifies that AWS Directory Service is configured to send notifications to an SNS topic, enabling real-time monitoring and alerting.

Rationale:

  • Proactive Monitoring: Timely notifications help administrators quickly respond to potential issues.

  • Incident Response: Immediate alerts facilitate faster troubleshooting and incident management.

  • Audit & Compliance: Provides a notification trail that aids in compliance with security standards like CIS Benchmarks, SOC 2, HIPAA, and PCI-DSS.

  • High Availability: Reduces the risk of prolonged outages or issues due to faster detection.

Impact:

  • Pros:

    • Enables proactive incident management.

    • Enhances visibility into Directory Service operations and issues.

    • Supports compliance with audit and monitoring requirements.

  • Cons:

    • Potential for notification overload if misconfigured.

    • Requires proper IAM permissions for SNS topic access.

    • SNS costs may apply for high-frequency notifications.

Default Value:

  • SNS Notifications are disabled by default for AWS Directory Service.

  • Must be manually enabled and linked to an SNS topic.

Pre-Requisites:

  • IAM Permissions:

    • ds:DescribeDirectories

    • ds:CreateDirectory

    • sns:CreateTopic

    • sns:Subscribe

    • sns:SetTopicAttributes

  • SNS Topic:

    • Create or identify an existing SNS topic to receive directory notifications.

    • Ensure appropriate subscribers (e.g., email, Lambda, HTTP/S endpoints) are attached.

  • AWS CLI installed and configured.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Directory Service → Directories.

  3. Select the AWS Managed Microsoft AD, Simple AD, or AD Connector directory.

  4. In the left-hand menu, select Notifications.

  5. Check if an SNS topic is listed and enabled for notifications.

  6. If not configured, follow the remediation steps below.

Using AWS CLI:

List All Directories:

aws ds describe-directories --query 'DirectoryDescriptions[*].{DirectoryId:DirectoryId,Name:Name,Type:Type}'

Check SNS Notifications for a Directory:

aws ds describe-directories --directory-id <directory-id> --query 'DirectoryDescriptions[*].EventTopicArn'

Expected Output:

[
 "arn:aws:sns:us-east-1:123456789012:MyDirectoryNotifications"
]

Pass Criteria:

  • EventTopicArn is populated with a valid SNS Topic ARN.

  • The SNS topic has active subscribers.

Implementation Steps:

Using AWS Console:

  1. Create an SNS Topic:

    • Navigate to Amazon SNS.

    • Choose Create topic → Standard.

    • Enter a name for the topic (e.g., DirectoryNotifications).

    • Click Create topic.

  2. Subscribe to the Topic:

    • Select the newly created topic.

    • Choose Create subscription.

    • Select the protocol (e.g., Email, Lambda, HTTP/S).

    • Enter the endpoint (e.g., email address).

    • Confirm the subscription (check your email if using Email protocol).

  3. Attach SNS Topic to Directory Service:

    • Navigate to AWS Directory Service → Directories.

    • Select the directory to configure.

    • Choose Notifications → Set up notifications.

    • Select the SNS topic created in Step 1.

    • Click Save changes.

Using AWS CLI:

Create an SNS Topic:

aws sns create-topic --name DirectoryNotifications

Subscribe an Email to the SNS Topic:

aws sns subscribe --topic-arn arn:aws:sns:us-east-1:123456789012:DirectoryNotifications --protocol email --notification-endpoint youremail@example.com

Attach SNS Topic to Directory Service:

aws ds create-event-subscription --directory-id <directory-id> --sns-topic-name DirectoryNotifications

Verify SNS Topic Attachment:

aws ds describe-directories --directory-id <directory-id> --query 'DirectoryDescriptions[*].EventTopicArn'

Backout Plan:

  • If Unwanted Notifications Occur:

Detach SNS Topic:

aws ds delete-event-subscription --directory-id <directory-id>

Delete SNS Topic (if no longer needed):

aws sns delete-topic --topic-arn arn:aws:sns:us-east-1:123456789012:DirectoryNotifications

Manage Subscriptions:

  • Navigate to SNS Console.

  • Remove unnecessary subscribers or adjust protocols as needed.

References:

  1. AWS Directory Service – Notifications

  2. Amazon SNS – Getting Started

  3. AWS CLI – Directory Service

  4. AWS CLI – SNS

CIS Controls:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

6.11

Establish and Maintain an Audit Log Management Process – Ensure security logs are collected and reviewed.

v8

8.6

Centralize Audit Logs – Send critical notifications to centralized monitoring systems.

v7

6.5

Central Log Management – Aggregate important logs for analysis and alerting.