SNS Topic is Publicly Accessible
- Query id: ae53ce91-42b5-46bf-a84f-9a13366a4f13
- Query name: SNS Topic is Publicly Accessible
- Platform: CloudFormation
- Severity: Critical
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
SNS Topic Policy should not allow any principal to access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
snsPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement: [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": ["sns:Publish"],
"Resource": "arn:aws:sns:MyTopic"
}]
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"mysnspolicy0" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyTopicPolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "My-statement-id",
"Effect" : "Allow",
"Principal" : "*",
"Action" : "sns:Publish",
"Resource" : "*"
} ]
},
"Topics" : [ { "Ref" : "MySNSTopic" } ]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
snsPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement: [
{
"Sid": "MyTopicPolicy",
"Effect": "Allow",
"Principal": "otherPrincipal",
"Action": ["sns:Publish"],
"Resource": "arn:aws:sns:MyTopic"
}]
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Resources": {
"mysnspolicy0" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyTopicPolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "My-statement-id",
"Effect" : "Allow",
"Principal" : "otherPrincipal",
"Action" : "sns:Publish",
"Resource" : "*"
} ]
},
"Topics" : [ { "Ref" : "MySNSTopic" } ]
}
}
}
}