SNS Topic is Publicly Accessible
- Query id: 905f4741-f965-45c1-98db-f7a00a0e5c73
- Query name: SNS Topic is Publicly Accessible
- Platform: Ansible
- Severity: Critical
- Category: Access Control
- CWE: 284
- Risk score: 8.8
- URL: Github
Description¶
SNS Topic Policy should not allow any principal to access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: Create alarm SNS topic community
community.aws.sns_topic:
name: "alarms"
state: present
display_name: "alarm SNS topic"
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: "<linear|arithmetic|geometric|exponential>"
disableSubscriptionOverrides: True
defaultThrottlePolicy:
maxReceivesPerSecond: 10
subscriptions:
- endpoint: "my_email_address@example.com"
protocol: "email"
- endpoint: "my_mobile_number"
protocol: "sms"
policy:
Version: '2022-05-02'
Statement:
- Action: Publish
Effect: Allow
Principal:
AWS: "*"
- name: Create alarm SNS topic
sns_topic:
name: "alarms"
state: present
display_name: "alarm SNS topic"
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: "<linear|arithmetic|geometric|exponential>"
disableSubscriptionOverrides: True
defaultThrottlePolicy:
maxReceivesPerSecond: 10
subscriptions:
- endpoint: "my_email_address@example.com"
protocol: "email"
- endpoint: "my_mobile_number"
protocol: "sms"
policy:
Version: '2022-05-02'
Statement:
- Effect: Allow
Action: Publish
Principal:
AWS: "*"
Positive test num. 2 - yaml file
---
- name: Create alarm SNS topic community
community.aws.sns_topic:
name: "alarms"
state: present
display_name: "alarm SNS topic"
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: "<linear|arithmetic|geometric|exponential>"
disableSubscriptionOverrides: True
defaultThrottlePolicy:
maxReceivesPerSecond: 10
subscriptions:
- endpoint: "my_email_address@example.com"
protocol: "email"
- endpoint: "my_mobile_number"
protocol: "sms"
policy:
Version: '2022-05-02'
Statement:
- Effect: Allow
Action: Publish
Principal:
AWS: "*"
Condition:
StringEquals:
sns:Endpoint: "my_email_address@example.com"
- name: Create alarm SNS topic
sns_topic:
name: "alarms"
state: present
display_name: "alarm SNS topic"
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: "<linear|arithmetic|geometric|exponential>"
disableSubscriptionOverrides: True
defaultThrottlePolicy:
maxReceivesPerSecond: 10
subscriptions:
- endpoint: "my_email_address@example.com"
protocol: "email"
- endpoint: "my_mobile_number"
protocol: "sms"
policy:
Version: '2022-05-02'
Statement:
- Effect: Allow
Action: Publish
Principal:
AWS: "*"
Condition:
StringEquals:
sns:Endpoint: "my_email_address@example.com"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Create alarm SNS topic community
community.aws.sns_topic:
name: alarms
state: present
display_name: alarm SNS topic
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: <linear|arithmetic|geometric|exponential>
disableSubscriptionOverrides: true
defaultThrottlePolicy:
maxReceivesPerSecond: 10
policy:
Version: '2022-05-02'
Statement:
- Effect: Allow
Action: Publish
Principal: "arn:aws:iam::123456789012:root"
- name: Create alarm SNS topic
sns_topic:
name: alarms
state: present
display_name: alarm SNS topic
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: <linear|arithmetic|geometric|exponential>
disableSubscriptionOverrides: true
defaultThrottlePolicy:
maxReceivesPerSecond: 10
policy:
Version: '2022-05-02'
Statement:
- Effect: Allow
Action: Publish
Principal: "arn:aws:iam::123456789012:root"
Negative test num. 2 - yaml file
- name: Create SNS topic with safe policy
community.aws.sns_topic:
name: secure-topic
display_name: "Secure SNS Topic"
state: present
policy:
Id: secure-topic-policy
Version: "2012-10-17"
Statement:
- Sid: AllowPublishFromSpecificAccount
Effect: Allow
Resource: "arn:aws:sns:*:*:secure-topic"
Principal: "*"
Action: sns:Publish
Condition:
StringEquals:
aws:SourceAccount: "123456789012"
- name: Create alarm SNS topic
sns_topic:
name: alarms
state: present
display_name: "alarm SNS topic"
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: exponential
disableSubscriptionOverrides: true
defaultThrottlePolicy:
maxReceivesPerSecond: 10
policy:
Version: '2022-05-02'
Statement:
- Effect: Allow
Action: Publish
Principal: "*"
Condition:
StringEquals:
aws:SourceOwner: "123456789012"
Negative test num. 3 - yaml file
- name: Create SNS topic with mixed conditions
community.aws.sns_topic:
name: mixed-topic
display_name: "Mixed SNS Topic"
state: present
policy:
Id: mixed-topic-policy
Version: "2012-10-17"
Statement:
- Sid: AllowAnyPrincipalWithRestrictions
Effect: Allow
Resource: "arn:aws:sns:*:*:mixed-topic"
Principal: "*"
Action: sns:Publish
Condition:
StringEquals:
aws:ResourceAccount: "123456789012"
- name: Create alarm SNS topic
sns_topic:
name: alarms
state: present
display_name: "alarm SNS topic"
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: exponential
disableSubscriptionOverrides: true
defaultThrottlePolicy:
maxReceivesPerSecond: 10
policy:
Version: '2022-05-02'
Statement:
- Effect: Allow
Action: Publish
Principal: "*"
Condition:
StringEquals:
aws:PrincipalAccount: "123456789012"
Negative test num. 4 - yaml file
- name: Create SNS topic with mixed conditions
community.aws.sns_topic:
name: mixed-topic
display_name: "Mixed SNS Topic"
state: present
policy:
Id: mixed-topic-policy
Version: "2012-10-17"
Statement:
- Sid: AllowAnyPrincipalWithRestrictions
Effect: Allow
Resource: "arn:aws:sns:*:*:mixed-topic"
Principal: "*"
Action: sns:Publish
Condition:
StringEquals:
aws:VpceAccount: "123456789012"
- name: Create alarm SNS topic
sns_topic:
name: alarms
state: present
display_name: "alarm SNS topic"
delivery_policy:
http:
defaultHealthyRetryPolicy:
minDelayTarget: 2
maxDelayTarget: 4
numRetries: 3
numMaxDelayRetries: 5
backoffFunction: exponential
disableSubscriptionOverrides: true
defaultThrottlePolicy:
maxReceivesPerSecond: 10
policy:
Version: '2022-05-02'
Statement:
- Effect: Allow
Action: Publish
Principal: "*"
Condition:
StringEquals:
aws:VpceAccount: "123456789012"