SNS Topics Should Not Be Exposed

More Info:

There should not be any publicly accessible SNS topics in order to protect them against attackers or unauthorized personnel.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, AWSWAF, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “SNS Topics Should Not Be Exposed” in AWS using AWS CLI, you can follow these steps:

Identify the exposed SNS topics in your AWS account using the following AWS CLI command:

aws sns list-topics

Once you have identified the exposed SNS topics, you can remove the public access policy from them using the following AWS CLI command:

aws sns set-topic-attributes --topic-arn arn:aws:sns:us-east-1:123456789012:MyTopic --attribute-name Policy --attribute-value ""

Note: Replace the topic ARN with the ARN of the exposed SNS topic in your AWS account.

You can also restrict access to the SNS topic by updating the access policy to allow only authorized AWS accounts or IAM users to access it. You can use the following AWS CLI command to update the access policy:

aws sns set-topic-attributes --topic-arn arn:aws:sns:us-east-1:123456789012:MyTopic --attribute-name Policy --attribute-value '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/MyUser" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:us-east-1:123456789012:MyTopic" } ] }'

Note: Replace the topic ARN and IAM user ARN with the ARNs of the exposed SNS topic and authorized IAM user in your AWS account.

Finally, you can also enable SNS encryption using AWS KMS to ensure that the data in the SNS topic is encrypted at rest and in transit. You can use the following AWS CLI command to enable SNS encryption:

aws sns set-topic-attributes --topic-arn arn:aws:sns:us-east-1:123456789012:MyTopic --attribute-name KmsMasterKeyId --attribute-value "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"

Note: Replace the topic ARN and KMS key ARN with the ARNs of the SNS topic and KMS key in your AWS account.By following these steps, you can remediate the misconfiguration “SNS Topics Should Not Be Exposed” in your AWS account using AWS CLI.

Using Python

To remediate the misconfiguration “SNS Topics Should Not Be Exposed” in AWS using Python, you can follow the below steps:Step 1: Create an AWS Lambda function with the following code:

import boto3

def lambda_handler(event, context):
    sns = boto3.client('sns')
    topics = sns.list_topics()['Topics']
    for topic in topics:
        topic_arn = topic['TopicArn']
        response = sns.remove_permission(
            TopicArn=topic_arn,
            Label='Everyone'
        )
        print(response)

Step 2: Save and deploy the Lambda function to your AWS account.Step 3: Create an AWS CloudWatch Event Rule that triggers the Lambda function on a schedule or based on a specific event.Step 4: Test the Lambda function to ensure that it removes the “Everyone” permission from all SNS topics in your AWS account.This code will remove the “Everyone” permission from all SNS topics in your AWS account, which will prevent unauthorized access to your SNS topics.

Additional Reading:

https://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

SNS Topics Should Not Be Exposed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: