aws vulnerabilities sns Publicly accessible SNS topic

Publicly accessible SNS topic

PLATFORM

SERVICE

sns

DATA BREACHES

unknown

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

medium

medium

About

SNS topics have a resource policy attached specifying who can access messages in the topic. This policy can be configured to allow public read and write access to these messages.

Understanding Impact

Business Impact

SNS topics are frequently used for publish/subscribe applications. When a topic is insecurely configured, anyone can access messages it contains. These messages frequently contain sensitive and personal data.

Technical Impact

SNS topics can be shared through their resource policy. In general, this is used to share a topic cross-account, for instance to allow another AWS account to publish messages in the topic. However, it is common that the resource policy is too open and allows any user, including outside of the AWS account, to access all messages in the topic.

Identify affected resources

You can use the following AWS CLI command to retrieve the resource-based policy attached to a specific SNS topic:

aws sns get-topic-attributes \
  --topic-arn <your-topic> \
  --query "Attributes.Policy" \
  --output text

The topic is vulnerable if it allows everyone access to an action such as sns:Publish or sns:Subscribe. Below is a sample vulnerable policy.

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:Subscribe"
      ],
      "Resource": "arn:aws:sns:us-east-1:0123456789012:vulnerable-topic"
    }
  ]
}

Remediate vulnerable resources

Change the SNS topic policy so it does not allow public access. For instance, you may want to limit access to the topic to authorized users in the same AWS account:

{
  "Statement": [{
    "Sid": "grant-1234-publish",
    "Effect": "Allow",
    "Principal": {
      "AWS": "<your-aws-account-id>"
    },
    "Action": ["sns:Publish"],
    "Resource": "arn:aws:sns:us-east-1:0123456789012:vulnerable-topic"
  }]
}

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | SNS topic should not be publicly accessible".

References

Example cases for Amazon SNS access control

aws documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 13 positions

view all