SNS Topic is Publicly Accessible
- Query id: 905f4741-f965-45c1-98db-f7a00a0e5c73
- Query name: SNS Topic is Publicly Accessible
- Platform: Ansible
- Severity: High
- Category: Access Control
- URL: Github
Description¶
SNS Topic Policy should not allow any principal to access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
---
- name: Create alarm SNS topic community
community.aws.sns_topic:
name: "alarms"
state: present
display_name: "alarm SNS topic"
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: "<linear|arithmetic|geometric|exponential>"
disableSubscriptionOverrides: True
defaultThrottlePolicy:
maxReceivesPerSecond: 10
subscriptions:
- endpoint: "my_email_address@example.com"
protocol: "email"
- endpoint: "my_mobile_number"
protocol: "sms"
policy:
Version: '2022-05-02'
Statement:
- Action: Publish
Effect: Allow
Principal: "*"
- name: Create alarm SNS topic
sns_topic:
name: "alarms"
state: present
display_name: "alarm SNS topic"
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: "<linear|arithmetic|geometric|exponential>"
disableSubscriptionOverrides: True
defaultThrottlePolicy:
maxReceivesPerSecond: 10
subscriptions:
- endpoint: "my_email_address@example.com"
protocol: "email"
- endpoint: "my_mobile_number"
protocol: "sms"
policy:
Version: '2022-05-02'
Statement:
- Effect: Allow
Action: Publish
Principal: '*'
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Create alarm SNS topic community
community.aws.sns_topic:
name: alarms
state: present
display_name: alarm SNS topic
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: <linear|arithmetic|geometric|exponential>
disableSubscriptionOverrides: true
defaultThrottlePolicy:
maxReceivesPerSecond: 10
policy:
Version: '2022-05-02'
Statement:
- Effect: Allow
Action: Publish
Principal: NotAll
- name: Create alarm SNS topic
sns_topic:
name: alarms
state: present
display_name: alarm SNS topic
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: <linear|arithmetic|geometric|exponential>
disableSubscriptionOverrides: true
defaultThrottlePolicy:
maxReceivesPerSecond: 10
policy:
Version: '2022-05-02'
Statement:
- Effect: Allow
Action: Publish
Principal: NotAll