AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
SNS Topics Should Not Allow Global Subscribe
More Info:
Your AWS Simple Notification Service (SNS) topics should not allow “Everyone” to subscribe in order to protect the messages published to your topics against attackers or unauthorized personnel.
Risk Level
Medium
Address
Security
Compliance Standards
HITRUST, AWSWAF, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate this misconfiguration in AWS using the AWS console:
- Open the Amazon SNS console at https://console.aws.amazon.com/sns/.
- In the navigation pane, choose Topics.
- Select the SNS topic that you want to remediate.
- Choose the Access policy tab.
- In the Access policy editor, locate the statement that grants global subscribe permissions. It should look like this:
{
"Effect": "Allow",
"Principal": "*",
"Action": "SNS:Subscribe",
"Resource": "arn:aws:sns:us-east-1:123456789012:MyTopic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "123456789012"
}
}
}
- Remove the
"Principal": "*"line from the statement to restrict subscriptions to only AWS accounts that you explicitly specify. - Choose Save changes to update the access policy for the SNS topic.
That’s it! You have successfully remediated the misconfiguration by removing global subscribe permissions from the SNS topic.
To remediate the misconfiguration “SNS Topics Should Not Allow Global Subscribe” in AWS using AWS CLI, you can follow these steps:
-
Open the AWS CLI on your local machine or EC2 instance.
-
Run the following command to list all the SNS topics in your AWS account:
aws sns list-topics -
Identify the SNS topic(s) that have global subscription enabled.
-
Run the following command to update the policy of the identified SNS topic(s) to disallow global subscription:
aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name Policy --attribute-value '{"Version":"2008-10-17","Id":"__default_policy_ID","Statement":[{"Effect":"Deny","Principal":{"AWS":"*"},"Action":"SNS:Subscribe","Resource":"<topic-arn>"}]}'Replace
<topic-arn>with the ARN of the identified SNS topic. -
Verify that the policy has been updated successfully by running the following command:
aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names PolicyReplace
<topic-arn>with the ARN of the identified SNS topic. -
Repeat steps 3-5 for all the SNS topics that have global subscription enabled.
By following these steps, you can remediate the misconfiguration “SNS Topics Should Not Allow Global Subscribe” in AWS using AWS CLI.
To remediate the misconfiguration “SNS Topics Should Not Allow Global Subscribe” in AWS using Python, you can follow the below steps:
- First, you need to get a list of all the SNS topics in your AWS account using the boto3 library in Python. You can use the following code snippet to achieve this:
import boto3
sns = boto3.client('sns')
response = sns.list_topics()
topics = response['Topics']
- Once you have the list of all SNS topics, you can iterate through each topic and check if it allows global subscriptions. To do this, you need to get the policy of the SNS topic using the
get_topic_attributesmethod and then check if the policy allows global subscriptions. You can use the following code snippet to achieve this:
for topic in topics:
topic_arn = topic['TopicArn']
attributes = sns.get_topic_attributes(TopicArn=topic_arn)
policy = attributes['Attributes']['Policy']
if 'AllowEveryoneToSubscribe' in policy:
# Remove the global subscription permission
policy = policy.replace('"AllowEveryoneToSubscribe": "true"', '"AllowEveryoneToSubscribe": "false"')
# Update the policy
sns.set_topic_attributes(TopicArn=topic_arn, AttributeName='Policy', AttributeValue=policy)
- Finally, you need to test the remediation by checking if the SNS topics still allow global subscriptions. You can use the same code snippet in step 2 to check the policy of each SNS topic and make sure that the “AllowEveryoneToSubscribe” parameter is set to “false”.
By following these steps, you can remediate the misconfiguration “SNS Topics Should Not Allow Global Subscribe” in AWS using Python.