SNS Topic is publicly accessible
ID |
aws_sns_topic_public_accessible |
Severity |
critical |
Vendor |
AWS |
Resource |
IAM |
Tags |
reachable |
Description
SNS Topic is publicly accessible. Unless you explicitly require anyone on the internet to be able to read or write to your Amazon SNS topic, you should ensure that your topic is not publicly accessible (by everyone in the world or by any authenticated AWS user).
To fix it:
-
Avoid creating policies with Principal set to "".
-
Avoid using a wildcard (*). Instead, name a specific user or users.
Learn more about this topic at Amazon SNS security best practices.
Examples
---
- name: Example playbook
hosts: localhost
tasks:
- name: Create a topic permitting S3 bucket notifications
community.aws.sns_topic:
name: "S3Notifications"
state: present
display_name: "S3 notifications SNS topic"
policy:
Id: s3-topic-policy
Version: 2012-10-17
Statement:
- Sid: Statement-id
Effect: Allow
Resource: "arn:aws:sns:*:*:S3Notifications"
Principal: "*"
Action: sns:Publish
Condition:
ArnLike:
aws:SourceArn: "arn:aws:s3:*:*:SomeBucket"Mitigation / Fix
---
- name: Example playbook
hosts: localhost
tasks:
- name: Create a topic permitting S3 bucket notifications
community.aws.sns_topic:
name: "S3Notifications"
state: present
display_name: "S3 notifications SNS topic"
policy:
Id: s3-topic-policy
Version: 2012-10-17
Statement:
- Sid: Statement-id
Effect: Allow
Resource: "arn:aws:sns:*:*:S3Notifications"
Principal:
Service: s3.amazonaws.com
Action: sns:Publish
Condition:
ArnLike:
aws:SourceArn: "arn:aws:s3:*:*:SomeBucket"