Sns cross account access remediation

Using Console

Using CLI

To remediate the misconfiguration “SNS Topics Should Not Have Cross Account Access” in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine.
Run the following command to list all the SNS topics in your AWS account:

aws sns list-topics

Identify the SNS topic that has cross-account access.
Run the following command to remove cross-account access from the SNS topic:

aws sns remove-permission --topic-arn <topic-arn> --label <permission-label>

Replace <topic-arn> with the ARN of the SNS topic that has cross-account access. Replace <permission-label> with the label of the permission that you want to remove.

Run the following command to verify that the cross-account access has been removed:

aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names Policy

Replace <topic-arn> with the ARN of the SNS topic that you want to verify.

If the output of the above command shows that the policy for the SNS topic still has cross-account access, then you need to update the policy for the SNS topic.
Run the following command to update the policy for the SNS topic:

aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name Policy --attribute-value "{}"

Replace <topic-arn> with the ARN of the SNS topic that you want to update.

Run the following command to verify that the policy for the SNS topic has been updated:

aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names Policy

Replace <topic-arn> with the ARN of the SNS topic that you want to verify.

Repeat steps 3 to 8 for all the SNS topics in your AWS account that have cross-account access.

By following these steps, you can remediate the misconfiguration “SNS Topics Should Not Have Cross Account Access” in AWS using AWS CLI.

Using Python

To remediate the misconfiguration of SNS Topics having cross-account access in AWS using python, you can follow the below steps:

Identify the SNS Topics that have cross-account access.
Revoke the cross-account access for those SNS Topics.
Verify that the cross-account access has been revoked successfully.

Here is the python code to remediate the misconfiguration:

import boto3

# Create an SNS client
sns = boto3.client('sns')

# Get all SNS Topics
topics = sns.list_topics()

# Loop through each topic
for topic in topics['Topics']:
    topic_arn = topic['TopicArn']
    
    # Get the topic policy
    policy = sns.get_topic_attributes(TopicArn=topic_arn)['Attributes']['Policy']
    
    # Check if the policy allows cross-account access
    if 'Statement' in policy:
        for statement in policy['Statement']:
            if 'Condition' in statement and 'ArnLike' in statement['Condition']:
                for arn in statement['Condition']['ArnLike'].values():
                    if 'AWS:*:*:' in arn:
                        print(f"Revoking cross-account access for {topic_arn}")
                        
                        # Revoke the cross-account access
                        statement['Condition']['ArnLike'] = {}
                        sns.set_topic_attributes(TopicArn=topic_arn, AttributeName='Policy', AttributeValue=policy)
                        
                        print(f"Cross-account access revoked for {topic_arn}")

Note: This code will revoke cross-account access for all SNS Topics that have a policy allowing it. It is important to review the policy before revoking access to ensure that it is not needed for any legitimate use case.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Sns cross account access remediation

Triage and Remediation

Remediation