AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
SNS Topics Should Not Be Exposed
More Info:
There should not be any publicly accessible SNS topics in order to protect them against attackers or unauthorized personnel.
Risk Level
Medium
Address
Security
Compliance Standards
HITRUST, AWSWAF, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the SNS Topics Should Not Be Exposed issue in AWS using the AWS console:
- Log in to your AWS console.
- Open the SNS service.
- Click on the topic that you want to remediate.
- Click on the “Access policy” tab.
- Review the policy to ensure that it only allows access to the necessary users and roles.
- If the policy allows public access, click on the “Edit” button.
- Update the policy to restrict access to only the necessary users and roles.
- Click on the “Save changes” button to save the updated policy.
By following these steps, you will be able to remediate the SNS Topics Should Not Be Exposed issue in AWS using the AWS console.
To remediate the misconfiguration “SNS Topics Should Not Be Exposed” in AWS using AWS CLI, you can follow these steps:
- Identify the exposed SNS topics in your AWS account using the following AWS CLI command:
aws sns list-topics
- Once you have identified the exposed SNS topics, you can remove the public access policy from them using the following AWS CLI command:
aws sns set-topic-attributes --topic-arn arn:aws:sns:us-east-1:123456789012:MyTopic --attribute-name Policy --attribute-value ""
Note: Replace the topic ARN with the ARN of the exposed SNS topic in your AWS account.
- You can also restrict access to the SNS topic by updating the access policy to allow only authorized AWS accounts or IAM users to access it. You can use the following AWS CLI command to update the access policy:
aws sns set-topic-attributes --topic-arn arn:aws:sns:us-east-1:123456789012:MyTopic --attribute-name Policy --attribute-value '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/MyUser" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:us-east-1:123456789012:MyTopic" } ] }'
Note: Replace the topic ARN and IAM user ARN with the ARNs of the exposed SNS topic and authorized IAM user in your AWS account.
- Finally, you can also enable SNS encryption using AWS KMS to ensure that the data in the SNS topic is encrypted at rest and in transit. You can use the following AWS CLI command to enable SNS encryption:
aws sns set-topic-attributes --topic-arn arn:aws:sns:us-east-1:123456789012:MyTopic --attribute-name KmsMasterKeyId --attribute-value "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
Note: Replace the topic ARN and KMS key ARN with the ARNs of the SNS topic and KMS key in your AWS account.
By following these steps, you can remediate the misconfiguration “SNS Topics Should Not Be Exposed” in your AWS account using AWS CLI.
To remediate the misconfiguration “SNS Topics Should Not Be Exposed” in AWS using Python, you can follow the below steps:
Step 1: Create an AWS Lambda function with the following code:
import boto3
def lambda_handler(event, context):
sns = boto3.client('sns')
topics = sns.list_topics()['Topics']
for topic in topics:
topic_arn = topic['TopicArn']
response = sns.remove_permission(
TopicArn=topic_arn,
Label='Everyone'
)
print(response)
Step 2: Save and deploy the Lambda function to your AWS account.
Step 3: Create an AWS CloudWatch Event Rule that triggers the Lambda function on a schedule or based on a specific event.
Step 4: Test the Lambda function to ensure that it removes the “Everyone” permission from all SNS topics in your AWS account.
This code will remove the “Everyone” permission from all SNS topics in your AWS account, which will prevent unauthorized access to your SNS topics.