AWS-SNS-SNS-Topic-Policies
Severity : Critical
Description: This controls ensures that SNS topics do not allow Everyone to subscribe. Allowing anonymous users to have access to SNS topics can lead to unauthorized actions. To avoid data leakage, limit access to SNS topics by implementing the necessary policies. SNS topic policy should not contain allow Everyone with Action: "SNS: Subscribe" and "SNS: Receive". When granting permissions only specific users must be given permissions by implementing least-privilege access.
Remediation Steps:
Perform following to modify the default security group for VPC:
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to SNS console.
Select Topics in navigation and select the reported topic from the list.
Navigate to the Access Policy section and , click Edit.
Edit Action statement to replace wildcard(*) to specific actions required for role or users.
Edit Resources statement to include specific SNS topics the action is allowed.
Edit Principal from wildcard(*) to specific IAM Users or Role ARN allowed.
Click Save Changes.
Important:
Reference:
{ "Version":"2008-10-17", "Id":"__default_policy_ID", "Statement":[ { "Sid":"__default_statement_ID", "Effect":"Allow", "Principal":{ "AWS":"*" }, "Action":[ "SNS:GetTopicAttributes", "SNS:SetTopicAttributes", "SNS:AddPermission", "SNS:RemovePermission", "SNS:DeleteTopic", "SNS:Subscribe", "SNS:ListSubscriptionsByTopic", "SNS:Publish", "SNS:Receive" ], "Resource":"[SNS_TOPIC_ARN]", "Condition":{ "StringEquals":{ "AWS:SourceOwner":"[Account_ID]" } } } ] }
Blue Hexagon Proprietary