SNS Topic Publicity Has Allow and NotAction Simultaneously

  • Query id: 818f38ed-8446-4132-9c03-474d49e10195
  • Query name: SNS Topic Publicity Has Allow and NotAction Simultaneously
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  mysnspolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: MyTopicPolicy
        Version: '2012-10-17'
        Statement:
        - Sid: MyStatementId
          Effect: Allow
          NotAction: "s3:DeleteBucket"
          Resource: "arn:aws:s3:::*"
        - Sid: MyStatementId2
          Effect: Allow
          NotAction: "iam:*"
          Resource: "*"
      Topics:
      - !Ref mytopic
Postitive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "mysnspolicy": {
      "Type": "AWS::SNS::TopicPolicy",
      "Properties": {
        "PolicyDocument": {
          "Id": "MyTopicPolicy",
          "Version": "2012-10-17",
          "Statement": [
            {
              "NotAction": "s3:DeleteBucket",
              "Resource": "arn:aws:s3:::*",
              "Sid": "MyStatementId",
              "Effect": "Allow"
            },
            {
              "Sid": "MyStatementId2",
              "Effect": "Allow",
              "NotAction": "iam:*",
              "Resource": "*"
            }
          ]
        },
        "Topics": [
          "mytopic"
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  mysnspolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: MyTopicPolicy
        Version: '2012-10-17'
        Statement:
        - Sid: Mystatementid
          Effect: Allow
          Principal:
            AWS: !GetAtt myuser.Arn
          Action: sns:Publish
          Resource: "*"
      Topics:
      - !Ref mytopic
Negative test num. 2 - json file
{
  "Resources": {
    "mysnspolicy": {
      "Type": "AWS::SNS::TopicPolicy",
      "Properties": {
        "PolicyDocument": {
          "Id": "MyTopicPolicy",
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "Mystatementid",
              "Effect": "Allow",
              "Principal": {
                "AWS": "myuser.Arn"
              },
              "Action": "sns:Publish",
              "Resource": "*"
            }
          ]
        },
        "Topics": [
          "mytopic"
        ]
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template"
}