SNS Topics Should Not Allow Global Publishing

More Info:

Your AWS Simple Notification Service (SNS) topics should not allow Everyone to publish in order to protect against attackers or unauthorized users that can publish malicious messages to your topics.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, AWSWAF, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the SNS topic global publishing misconfiguration in AWS:

Open the AWS Management Console and navigate to the SNS service.
Click on the SNS topic that needs to be remediated.
In the topic details page, click on the “Access Policy” tab.
Click on the “Edit” button to modify the access policy.
In the access policy editor, remove the following statement:

{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "SNS:Publish",
  "Resource": "arn:aws:sns:*:*:*"
}

Click on the “Save Changes” button to save the updated access policy.
Verify that the access policy no longer allows global publishing by checking that the Principal is no longer set to "*".
Repeat these steps for any other SNS topics that need to be remediated.

That’s it! By following these steps, you have successfully remediated the SNS topic global publishing misconfiguration in AWS.

Using CLI

To remediate the misconfiguration of SNS Topics allowing global publishing in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your system.
Run the following command to list all the SNS topics in your AWS account:
```
aws sns list-topics
```
Identify the ARN of the SNS topic that needs to be remediated.

Run the following command to update the SNS topic policy to disallow global publishing:

aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name Policy --attribute-value '{"Version":"2008-10-17","Id":"__default_policy_ID","Statement":[{"Effect":"Deny","Principal":"*","Action":"SNS:Publish","Resource":"<topic-arn>","Condition":{"StringEquals":{"AWS:SourceOwner":"<aws-account-id>"}}}]}'

Replace <topic-arn> with the ARN of the SNS topic identified in step 3 and <aws-account-id> with your AWS account ID.

Verify that the SNS topic policy has been updated successfully by running the following command:
```
aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names Policy
```
This command should return the updated policy that disallows global publishing.
Repeat steps 3-5 for all the SNS topics in your AWS account that allow global publishing.

By following these steps, you can remediate the misconfiguration of SNS topics allowing global publishing in AWS using AWS CLI.

Using Python

To remediate the misconfiguration in AWS where SNS Topics should not allow global publishing, you can follow the below steps using Python:

Create an AWS SNS client using the Boto3 library in Python.

import boto3

sns_client = boto3.client('sns')

Get the list of all SNS topics using the list_topics() method.

response = sns_client.list_topics()
topics = response['Topics']

For each topic, check if it has the Policy attribute set. If it does, retrieve the policy using the get_topic_attributes() method.

for topic in topics:
    topic_arn = topic['TopicArn']
    response = sns_client.get_topic_attributes(TopicArn=topic_arn)
    policy = response.get('Attributes', {}).get('Policy')

If the policy exists, parse it using the json module and check if it allows global publishing. If it does, update the policy to disallow global publishing using the set_topic_attributes() method.

import json

if policy:
    policy_json = json.loads(policy)
    if 'Statement' in policy_json:
        for statement in policy_json['Statement']:
            if (statement.get('Effect') == 'Allow' and 
                statement.get('Principal') == '*'):
                policy_json['Statement'].remove(statement)
        new_policy = json.dumps(policy_json)
        sns_client.set_topic_attributes(TopicArn=topic_arn, 
                                         AttributeName='Policy', 
                                         AttributeValue=new_policy)

Once all the policies have been updated, the misconfiguration has been remediated.

Note: Make sure to have the appropriate AWS credentials and permissions set up for the Python script to access and modify SNS topics.

Additional Reading:

https://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

SNS Topics Should Not Allow Global Publishing

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: