SNS topic policy is publicly accessible
Description
AWS SNS is a hosted topics service that lets you integrate distributed software systems and components. It provides a generic web services API and it can be accessed by any programming language that the AWS SDK supports.
Public SNS topics potentially expose existing interfaces to unwanted 3rd parties that can tap into an existing data stream, resulting in data leak to an unwanted party.
Fix - Runtime
AWS Console
To change the policy using the AWS Console, follow these steps:
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon SNS console.
- Select an SNS topic and navigate to the Permissions tab.
- Select a topic policy, click Edit.
- Navigate to the Principal section.
- Clear the Everybody (*) checkbox and enter the AWS account ID of the person allowed or denied (based on your access requirements).
- To update the policy, select Save Changes.
CLI Command
List SNS Topics and review the policy using the following command.
Replace the topic ARN in the example provided.
aws sns list-topics
aws sns get-topic-attributes
--topic arn:aws:sns:us-west-2:123456789012:mytopic
# To pretty print the policy
aws sns get-topic-attributes
--topic arn:aws:sns:us-west-2:123456789012:mytopic
--query 'Attributes.Policy'
--output text | python -m json.tool