AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AWS SNS Subscription Should Not Use HTTP As Delivery Protocol
More Info:
None of the Amazon SNS subscriptions created within your AWS account should use HTTP instead of HTTPS as delivery protocol in order to enforce SSL encryption for all subscription requests.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, HIPAA, ISO27001, AWSWAF
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the issue of “AWS SNS Subscription Should Not Use HTTP As Delivery Protocol” for AWS using the AWS console:
- Login to the AWS Management Console.
- Navigate to the SNS service from the Services dropdown.
- Click on the Subscriptions option from the left-hand menu.
- Select the subscription that is using HTTP as the delivery protocol.
- Click on the Edit button from the subscription details page.
- From the Protocol dropdown, select HTTPS as the delivery protocol.
- Enter the endpoint URL that supports HTTPS delivery.
- Click on the Update button to save the changes.
Once the above steps are completed, the SNS subscription will use HTTPS as the delivery protocol instead of HTTP, which will remediate the issue of “AWS SNS Subscription Should Not Use HTTP As Delivery Protocol”.
To remediate the misconfiguration of AWS SNS Subscription using HTTP as delivery protocol, follow the below steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to list all the SNS subscriptions in your AWS account:
aws sns list-subscriptions -
Identify the subscription that uses HTTP as the delivery protocol.
-
Run the following command to update the subscription to use HTTPS as the delivery protocol:
aws sns set-subscription-attributes --subscription-arn <subscription-arn> --attribute-name DeliveryPolicy --attribute-value '{"http":{"defaultHealthyRetryPolicy":{"minDelayTarget":20,"maxDelayTarget":20,"numRetries":3,"numMaxDelayRetries":0,"numNoDelayRetries":0,"numMinDelayRetries":0,"backoffFunction":"linear"}},"https":{"defaultHealthyRetryPolicy":{"minDelayTarget":20,"maxDelayTarget":20,"numRetries":3,"numMaxDelayRetries":0,"numNoDelayRetries":0,"numMinDelayRetries":0,"backoffFunction":"linear"}}}'Replace
<subscription-arn>with the ARN of the subscription that needs to be updated. -
Verify that the subscription has been updated by running the following command:
aws sns get-subscription-attributes --subscription-arn <subscription-arn>This command will return the attributes of the subscription. Verify that the
DeliveryPolicyattribute has been updated with the new value. -
Repeat the above steps for all the SNS subscriptions that use HTTP as the delivery protocol.
By following these steps, you can remediate the misconfiguration of AWS SNS Subscription using HTTP as delivery protocol and update it to use HTTPS instead.
Sure, here are the step-by-step instructions to remediate the AWS SNS Subscription that uses HTTP as the delivery protocol using Python:
- First, you need to import the necessary libraries:
import boto3
- Next, create a new boto3 client for SNS:
sns_client = boto3.client('sns')
- Then, you need to get a list of all the subscriptions for your SNS topic:
response = sns_client.list_subscriptions_by_topic(TopicArn='your_topic_arn')
- Loop through the response and check if any of the subscriptions are using HTTP as the delivery protocol:
for subscription in response['Subscriptions']:
if subscription['Protocol'] == 'http':
subscription_arn = subscription['SubscriptionArn']
- If you find a subscription using HTTP, you need to update it to use HTTPS instead. To do this, you can use the
set_subscription_attributesmethod:
sns_client.set_subscription_attributes(
SubscriptionArn=subscription_arn,
AttributeName='DeliveryPolicy',
AttributeValue='{"http": {"defaultHealthyRetryPolicy": {"numRetries": 3,"numNoDelayRetries": 0,"minDelayTarget": 20,"maxDelayTarget": 20,"numMinDelayRetries": 0,"numMaxDelayRetries": 0,"backoffFunction": "linear"},"disableSubscriptionOverrides": false,"defaultThrottlePolicy": {"numRetries": 0,"numNoDelayRetries": 0,"minDelayTarget": 0,"maxDelayTarget": 0,"numMinDelayRetries": 0,"numMaxDelayRetries": 0,"backoffFunction": "linear"}},"https": {"defaultHealthyRetryPolicy": {"numRetries": 3,"numNoDelayRetries": 0,"minDelayTarget": 20,"maxDelayTarget": 20,"numMinDelayRetries": 0,"numMaxDelayRetries": 0,"backoffFunction": "linear"},"disableSubscriptionOverrides": false,"defaultThrottlePolicy": {"numRetries": 0,"numNoDelayRetries": 0,"minDelayTarget": 0,"maxDelayTarget": 0,"numMinDelayRetries": 0,"numMaxDelayRetries": 0,"backoffFunction": "linear"}}}'
)
This will update the subscription to use HTTPS as the delivery protocol.
That’s it! You have successfully remediated the AWS SNS Subscription that uses HTTP as the delivery protocol using Python.