AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
SNS Topics Should Not Allow Global Publishing
More Info:
Your AWS Simple Notification Service (SNS) topics should not allow Everyone to publish in order to protect against attackers or unauthorized users that can publish malicious messages to your topics.
Risk Level
Medium
Address
Security
Compliance Standards
HITRUST, AWSWAF, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the SNS topic global publishing misconfiguration in AWS:
- Open the AWS Management Console and navigate to the SNS service.
- Click on the SNS topic that needs to be remediated.
- In the topic details page, click on the “Access Policy” tab.
- Click on the “Edit” button to modify the access policy.
- In the access policy editor, remove the following statement:
{
"Effect": "Allow",
"Principal": "*",
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:*:*:*"
}
- Click on the “Save Changes” button to save the updated access policy.
- Verify that the access policy no longer allows global publishing by checking that the
Principalis no longer set to"*". - Repeat these steps for any other SNS topics that need to be remediated.
That’s it! By following these steps, you have successfully remediated the SNS topic global publishing misconfiguration in AWS.
To remediate the misconfiguration of SNS Topics allowing global publishing in AWS using AWS CLI, follow these steps:
-
Open the AWS CLI on your system.
-
Run the following command to list all the SNS topics in your AWS account:
aws sns list-topics -
Identify the ARN of the SNS topic that needs to be remediated.
-
Run the following command to update the SNS topic policy to disallow global publishing:
aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name Policy --attribute-value '{"Version":"2008-10-17","Id":"__default_policy_ID","Statement":[{"Effect":"Deny","Principal":"*","Action":"SNS:Publish","Resource":"<topic-arn>","Condition":{"StringEquals":{"AWS:SourceOwner":"<aws-account-id>"}}}]}'Replace
<topic-arn>with the ARN of the SNS topic identified in step 3 and<aws-account-id>with your AWS account ID. -
Verify that the SNS topic policy has been updated successfully by running the following command:
aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names PolicyThis command should return the updated policy that disallows global publishing.
-
Repeat steps 3-5 for all the SNS topics in your AWS account that allow global publishing.
By following these steps, you can remediate the misconfiguration of SNS topics allowing global publishing in AWS using AWS CLI.
To remediate the misconfiguration in AWS where SNS Topics should not allow global publishing, you can follow the below steps using Python:
- Create an AWS SNS client using the Boto3 library in Python.
import boto3
sns_client = boto3.client('sns')
- Get the list of all SNS topics using the
list_topics()method.
response = sns_client.list_topics()
topics = response['Topics']
- For each topic, check if it has the
Policyattribute set. If it does, retrieve the policy using theget_topic_attributes()method.
for topic in topics:
topic_arn = topic['TopicArn']
response = sns_client.get_topic_attributes(TopicArn=topic_arn)
policy = response.get('Attributes', {}).get('Policy')
- If the policy exists, parse it using the
jsonmodule and check if it allows global publishing. If it does, update the policy to disallow global publishing using theset_topic_attributes()method.
import json
if policy:
policy_json = json.loads(policy)
if 'Statement' in policy_json:
for statement in policy_json['Statement']:
if (statement.get('Effect') == 'Allow' and
statement.get('Principal') == '*'):
policy_json['Statement'].remove(statement)
new_policy = json.dumps(policy_json)
sns_client.set_topic_attributes(TopicArn=topic_arn,
AttributeName='Policy',
AttributeValue=new_policy)
- Once all the policies have been updated, the misconfiguration has been remediated.
Note: Make sure to have the appropriate AWS credentials and permissions set up for the Python script to access and modify SNS topics.