SNS Topic is Publicly Accessible

  • Query id: 905f4741-f965-45c1-98db-f7a00a0e5c73
  • Query name: SNS Topic is Publicly Accessible
  • Platform: Ansible
  • Severity: High
  • Category: Access Control
  • URL: Github

Description

SNS Topic Policy should not allow any principal to access
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
---
- name: Create alarm SNS topic community
  community.aws.sns_topic:
    name: "alarms"
    state: present
    display_name: "alarm SNS topic"
    delivery_policy:
      http:
        defaultHealthyRetryPolicy:
          minDelayTarget: 2
          maxDelayTarget: 4
          numRetries: 3
          numMaxDelayRetries: 5
          backoffFunction: "<linear|arithmetic|geometric|exponential>"
        disableSubscriptionOverrides: True
        defaultThrottlePolicy:
          maxReceivesPerSecond: 10
    subscriptions:
      - endpoint: "my_email_address@example.com"
        protocol: "email"
      - endpoint: "my_mobile_number"
        protocol: "sms"
    policy:
      Version: '2022-05-02'
      Statement:
        - Action: Publish
          Effect: Allow
          Principal: "*"
- name: Create alarm SNS topic
  sns_topic:
    name: "alarms"
    state: present
    display_name: "alarm SNS topic"
    delivery_policy:
      http:
        defaultHealthyRetryPolicy:
          minDelayTarget: 2
          maxDelayTarget: 4
          numRetries: 3
          numMaxDelayRetries: 5
          backoffFunction: "<linear|arithmetic|geometric|exponential>"
        disableSubscriptionOverrides: True
        defaultThrottlePolicy:
          maxReceivesPerSecond: 10
    subscriptions:
      - endpoint: "my_email_address@example.com"
        protocol: "email"
      - endpoint: "my_mobile_number"
        protocol: "sms"
    policy:
      Version: '2022-05-02'
      Statement:
        - Effect: Allow
          Action: Publish
          Principal: '*'

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create alarm SNS topic community
  community.aws.sns_topic:
    name: alarms
    state: present
    display_name: alarm SNS topic
    delivery_policy:
      http:
        defaultHealthyRetryPolicy:
          minDelayTarget: 2
          maxDelayTarget: 4
          numRetries: 3
          numMaxDelayRetries: 5
          backoffFunction: <linear|arithmetic|geometric|exponential>
        disableSubscriptionOverrides: true
        defaultThrottlePolicy:
          maxReceivesPerSecond: 10
    policy:
      Version: '2022-05-02'
      Statement:
      - Effect: Allow
        Action: Publish
        Principal: NotAll

- name: Create alarm SNS topic
  sns_topic:
    name: alarms
    state: present
    display_name: alarm SNS topic
    delivery_policy:
      http:
        defaultHealthyRetryPolicy:
          minDelayTarget: 2
          maxDelayTarget: 4
          numRetries: 3
          numMaxDelayRetries: 5
          backoffFunction: <linear|arithmetic|geometric|exponential>
        disableSubscriptionOverrides: true
        defaultThrottlePolicy:
          maxReceivesPerSecond: 10
    policy:
      Version: '2022-05-02'
      Statement:
      - Effect: Allow
        Action: Publish
        Principal: NotAll