SNS Topic Publicity Has Allow and NotAction Simultaneously
- Query id: 5ea624e4-c8b1-4bb3-87a4-4235a776adcc
- Query name: SNS Topic Publicity Has Allow and NotAction Simultaneously
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_sns_topic" "positive1" {
name = "my-topic-with-policy"
}
resource "aws_sns_topic_policy" "positive2" {
arn = aws_sns_topic.test.arn
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYPOLICYTEST",
"Statement": [
{
"NotAction": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::*",
"Sid": "MyStatementId",
"Effect": "Allow"
}
]
}
POLICY
}
Positive test num. 2 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYPOLICYTEST",
"Statement": [
{
"NotAction": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::*",
"Sid": "MyStatementId",
"Effect": "Allow"
}
]
}
POLICY
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_sns_topic" "negative1" {
name = "my-topic-with-policy"
}
resource "aws_sns_topic_policy" "negative2" {
arn = aws_sns_topic.test.arn
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYPOLICYTEST",
"Statement": [
{
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::*",
"Sid": "MyStatementId",
"Effect": "Allow"
}
]
}
POLICY
}
Negative test num. 2 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYPOLICYTEST",
"Statement": [
{
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::*",
"Sid": "MyStatementId",
"Effect": "Allow"
}
]
}
POLICY
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
}