AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
SNS Topics Should Not Have Cross Account Access
More Info:
Your SNS topics should be configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access. This can prevent data leaks and avoid unexpected costs on your AWS bill.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “SNS Topics Should Not Have Cross Account Access” in AWS, you can follow the below steps:
- Open the AWS SNS console at https://console.aws.amazon.com/sns/.
- Select the SNS topic that you want to remediate.
- Click on the “Access Policy” button under the “Permissions” section on the left side of the console.
- Review the access policy to ensure that there is no cross-account access granted to the SNS topic.
- If there is cross-account access granted, click on the “Edit” button to modify the access policy.
- Remove any statements that grant cross-account access to the SNS topic.
- Click on the “Save Changes” button to save the modified access policy.
After following these steps, the SNS topic will no longer have cross-account access and the misconfiguration will be remediated.
To remediate the misconfiguration “SNS Topics Should Not Have Cross Account Access” in AWS using AWS CLI, follow these steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to list all the SNS topics in your AWS account:
aws sns list-topics
-
Identify the SNS topic that has cross-account access.
-
Run the following command to remove cross-account access from the SNS topic:
aws sns remove-permission --topic-arn <topic-arn> --label <permission-label>
Replace <topic-arn> with the ARN of the SNS topic that has cross-account access. Replace <permission-label> with the label of the permission that you want to remove.
- Run the following command to verify that the cross-account access has been removed:
aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names Policy
Replace <topic-arn> with the ARN of the SNS topic that you want to verify.
-
If the output of the above command shows that the policy for the SNS topic still has cross-account access, then you need to update the policy for the SNS topic.
-
Run the following command to update the policy for the SNS topic:
aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name Policy --attribute-value "{}"
Replace <topic-arn> with the ARN of the SNS topic that you want to update.
- Run the following command to verify that the policy for the SNS topic has been updated:
aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names Policy
Replace <topic-arn> with the ARN of the SNS topic that you want to verify.
- Repeat steps 3 to 8 for all the SNS topics in your AWS account that have cross-account access.
By following these steps, you can remediate the misconfiguration “SNS Topics Should Not Have Cross Account Access” in AWS using AWS CLI.
To remediate the misconfiguration of SNS Topics having cross-account access in AWS using python, you can follow the below steps:
- Identify the SNS Topics that have cross-account access.
- Revoke the cross-account access for those SNS Topics.
- Verify that the cross-account access has been revoked successfully.
Here is the python code to remediate the misconfiguration:
import boto3
# Create an SNS client
sns = boto3.client('sns')
# Get all SNS Topics
topics = sns.list_topics()
# Loop through each topic
for topic in topics['Topics']:
topic_arn = topic['TopicArn']
# Get the topic policy
policy = sns.get_topic_attributes(TopicArn=topic_arn)['Attributes']['Policy']
# Check if the policy allows cross-account access
if 'Statement' in policy:
for statement in policy['Statement']:
if 'Condition' in statement and 'ArnLike' in statement['Condition']:
for arn in statement['Condition']['ArnLike'].values():
if 'AWS:*:*:' in arn:
print(f"Revoking cross-account access for {topic_arn}")
# Revoke the cross-account access
statement['Condition']['ArnLike'] = {}
sns.set_topic_attributes(TopicArn=topic_arn, AttributeName='Policy', AttributeValue=policy)
print(f"Cross-account access revoked for {topic_arn}")
Note: This code will revoke cross-account access for all SNS Topics that have a policy allowing it. It is important to review the policy before revoking access to ensure that it is not needed for any legitimate use case.