SNS Topics Should Not Allow Global Subscribe

More Info:

Your AWS Simple Notification Service (SNS) topics should not allow “Everyone” to subscribe in order to protect the messages published to your topics against attackers or unauthorized personnel.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, AWSWAF, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate this misconfiguration in AWS using the AWS console:

Open the Amazon SNS console at https://console.aws.amazon.com/sns/.
In the navigation pane, choose Topics.
Select the SNS topic that you want to remediate.
Choose the Access policy tab.
In the Access policy editor, locate the statement that grants global subscribe permissions. It should look like this:

{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "SNS:Subscribe",
  "Resource": "arn:aws:sns:us-east-1:123456789012:MyTopic",
  "Condition": {
    "StringEquals": {
      "AWS:SourceOwner": "123456789012"
    }
  }
}

Remove the "Principal": "*" line from the statement to restrict subscriptions to only AWS accounts that you explicitly specify.
Choose Save changes to update the access policy for the SNS topic.

That’s it! You have successfully remediated the misconfiguration by removing global subscribe permissions from the SNS topic.

Using CLI

To remediate the misconfiguration “SNS Topics Should Not Allow Global Subscribe” in AWS using AWS CLI, you can follow these steps:

Open the AWS CLI on your local machine or EC2 instance.
Run the following command to list all the SNS topics in your AWS account:
```
aws sns list-topics
```
Identify the SNS topic(s) that have global subscription enabled.

Run the following command to update the policy of the identified SNS topic(s) to disallow global subscription:

aws sns set-topic-attributes --topic-arn <topic-arn> --attribute-name Policy --attribute-value '{"Version":"2008-10-17","Id":"__default_policy_ID","Statement":[{"Effect":"Deny","Principal":{"AWS":"*"},"Action":"SNS:Subscribe","Resource":"<topic-arn>"}]}'

Replace <topic-arn> with the ARN of the identified SNS topic.

Verify that the policy has been updated successfully by running the following command:
```
aws sns get-topic-attributes --topic-arn <topic-arn> --attribute-names Policy
```
Replace <topic-arn> with the ARN of the identified SNS topic.
Repeat steps 3-5 for all the SNS topics that have global subscription enabled.

By following these steps, you can remediate the misconfiguration “SNS Topics Should Not Allow Global Subscribe” in AWS using AWS CLI.

Using Python

To remediate the misconfiguration “SNS Topics Should Not Allow Global Subscribe” in AWS using Python, you can follow the below steps:

First, you need to get a list of all the SNS topics in your AWS account using the boto3 library in Python. You can use the following code snippet to achieve this:

import boto3

sns = boto3.client('sns')
response = sns.list_topics()
topics = response['Topics']

Once you have the list of all SNS topics, you can iterate through each topic and check if it allows global subscriptions. To do this, you need to get the policy of the SNS topic using the get_topic_attributes method and then check if the policy allows global subscriptions. You can use the following code snippet to achieve this:

for topic in topics:
    topic_arn = topic['TopicArn']
    attributes = sns.get_topic_attributes(TopicArn=topic_arn)
    policy = attributes['Attributes']['Policy']
    if 'AllowEveryoneToSubscribe' in policy:
        # Remove the global subscription permission
        policy = policy.replace('"AllowEveryoneToSubscribe": "true"', '"AllowEveryoneToSubscribe": "false"')
        # Update the policy
        sns.set_topic_attributes(TopicArn=topic_arn, AttributeName='Policy', AttributeValue=policy)

Finally, you need to test the remediation by checking if the SNS topics still allow global subscriptions. You can use the same code snippet in step 2 to check the policy of each SNS topic and make sure that the “AllowEveryoneToSubscribe” parameter is set to “false”.

By following these steps, you can remediate the misconfiguration “SNS Topics Should Not Allow Global Subscribe” in AWS using Python.

Additional Reading:

https://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

SNS Topics Should Not Allow Global Subscribe

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: