Profile Applicability

  • Level 2

Description

Amazon SNS supports HTTP and HTTPS endpoints for delivering messages. However, HTTP endpoints transmit data in plaintext, making them vulnerable to interception and unauthorized access. To enhance security, all SNS subscriptions should use HTTPS endpoints instead of HTTP.

Rationale

  • Enhanced Security: HTTPS encrypts data in transit, protecting it from interception and unauthorized access.

  • Compliance: Meets regulatory requirements for secure data transmission.

  • Risk Mitigation: Reduces the risk of data breaches and man-in-the-middle attacks.

Impact

Pros:

  • Ensures secure communication between SNS and subscribed endpoints.

  • Reduces the risk of data interception and tampering.

  • Aligns with compliance and security standards.

Cons:

  • Requires configuration changes to migrate from HTTP to HTTPS endpoints.

  • May require additional setup for HTTPS certificates.

Default Value

By default, SNS subscriptions can use HTTP endpoints if explicitly configured.

Pre-Requisite

IAM Permissions:

  • sns:ListSubscriptions

  • sns:GetSubscriptionAttributes

  • sns:SetSubscriptionAttributes

  • AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the SNS Dashboard.

  3. Select Subscriptions from the left-hand menu.

  4. Check the Protocol column for each subscription and identify any using HTTP.

Using AWS CLI:

  1. List All SNS Subscriptions:

    aws sns list-subscriptions --query "Subscriptions[*].{Protocol:Protocol,SubscriptionArn:SubscriptionArn}"

  2. Identify Subscriptions Using HTTP:

    aws sns get-subscription-attributes --subscription-arn <subscription-arn> --query "Attributes.Protocol"

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the SNS Dashboard.

  3. Select the subscription using an HTTP endpoint.

  4. Edit the subscription to replace the HTTP endpoint with an HTTPS endpoint.

  5. Save the changes.

Using AWS CLI:

  1. Update the Subscription to Use HTTPS:

    aws sns set-subscription-attributes --subscription-arn <subscription-arn> --attribute-name Protocol --attribute-value https

  2. Verify the Changes:

    aws sns get-subscription-attributes --subscription-arn <subscription-arn> --query "Attributes.Protocol"

Backout Plan

Using AWS Console:

  1. If switching to HTTPS causes any issues, sign in to the AWS Management Console.

  2. Navigate to Amazon SNS, select Subscriptions, and find the subscription with the incorrect HTTPS endpoint.

  3. Change the endpoint back to HTTP if necessary (although this is not recommended for security reasons).

  4. Save the changes and verify that the subscription is functioning as expected.

Using AWS CLI:

  1. If there are issues with the HTTPS endpoint, you can revert the changes by setting the endpoint back to HTTP (not recommended):

    aws sns set-subscription-attributes --subscription-arn <SUBSCRIPTION_ARN> --attribute-name Endpoint --attribute-value "http://unsecure-endpoint.com" --region <REGION>

  2. Verify the changes have been reverted:

    aws sns get-subscription-attributes --subscription-arn <SUBSCRIPTION_ARN> --region <REGION>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.